Papers
Topics
Authors
Recent
Search
2000 character limit reached

Improving Machine Learning Robustness via Adversarial Training

Published 22 Sep 2023 in cs.LG, cs.CR, and cs.CV | (2309.12593v1)

Abstract: As Machine Learning (ML) is increasingly used in solving various tasks in real-world applications, it is crucial to ensure that ML algorithms are robust to any potential worst-case noises, adversarial attacks, and highly unusual situations when they are designed. Studying ML robustness will significantly help in the design of ML algorithms. In this paper, we investigate ML robustness using adversarial training in centralized and decentralized environments, where ML training and testing are conducted in one or multiple computers. In the centralized environment, we achieve a test accuracy of 65.41% and 83.0% when classifying adversarial examples generated by Fast Gradient Sign Method and DeepFool, respectively. Comparing to existing studies, these results demonstrate an improvement of 18.41% for FGSM and 47% for DeepFool. In the decentralized environment, we study Federated learning (FL) robustness by using adversarial training with independent and identically distributed (IID) and non-IID data, respectively, where CIFAR-10 is used in this research. In the IID data case, our experimental results demonstrate that we can achieve such a robust accuracy that it is comparable to the one obtained in the centralized environment. Moreover, in the non-IID data case, the natural accuracy drops from 66.23% to 57.82%, and the robust accuracy decreases by 25% and 23.4% in C&W and Projected Gradient Descent (PGD) attacks, compared to the IID data case, respectively. We further propose an IID data-sharing approach, which allows for increasing the natural accuracy to 85.04% and the robust accuracy from 57% to 72% in C&W attacks and from 59% to 67% in PGD attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. Y. Li, J. Lin, and K. Xiong, “An Adversarial Attack Defending System for Securing In-Vehicle Networks,” arXiv, 8 2020. [Online]. Available: http://arxiv.org/abs/2008.11278
  2. Y. Li, K. Xiong, T. Chin, and C. Hu, “A machine learning framework for domain generation algorithm-based malware detection,” IEEE Access, vol. 7, pp. 32 765–32 782, 2019. [Online]. Available: https://doi.org/10.1109/ACCESS.2019.2891588
  3. J. Lin, L. L. Njilla, and K. Xiong, “Secure machine learning against adversarial samples at test time,” EURASIP Journal on Information Security, vol. 2022, p. 15, 2022. [Online]. Available: https://doi.org/10.1186/s13635-021-00125-2
  4. M. Andriushchenko and N. Flammarion, “Understanding and improving fast adversarial training,” in Neural Information Processing Systems (NeurIPS), H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, and H. Lin, Eds., 2020. [Online]. Available: https://proceedings.neurips.cc/paper/2020/hash/b8ce47761ed7b3b6f48b583350b7f9e4-Abstract.html
  5. G. Zizzo, A. Rawat, M. Sinn, and B. Buesser, “FAT: federated adversarial training,” CoRR, vol. abs/2012.01791, 2020. [Online]. Available: https://arxiv.org/abs/2012.01791
  6. J. Lin, K. M., Ramachandran, L. Lu, and G. Nasir, “Adversarial and data poisoning attacks against deep learning,” Ph.D. dissertation, USA, 2022.
  7. M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” in IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.   IEEE, 2019, pp. 739–753. [Online]. Available: https://doi.org/10.1109/SP.2019.00065
  8. J. Hong, H. Wang, Z. Wang, and J. Zhou, “Federated robustness propagation: Sharing adversarial robustness in federated learning,” CoRR, vol. abs/2106.10196, 2021. [Online]. Available: https://arxiv.org/abs/2106.10196
  9. Y. Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V. Chandra, “Federated learning with non-iid data,” CoRR, vol. abs/1806.00582, 2018. [Online]. Available: http://arxiv.org/abs/1806.00582
  10. H. Ludwig and N. Baracaldo, Eds., “Federated Learning - A Comprehensive Overview of Methods and Applications”.   Springer, 2022. [Online]. Available: https://doi.org/10.1007/978-3-030-96896-0
  11. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” CoRR, vol. abs/1512.03385, 2015. [Online]. Available: http://arxiv.org/abs/1512.03385
  12. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in 3rd International Conference on Learning Representations (ICLR), San Diego, CA, USA, Y. Bengio and Y. LeCun, Eds., 2015. [Online]. Available: http://arxiv.org/abs/1412.6572
  13. C. Chen, B. Kailkhura, R. A. Goldhahn, and Y. Zhou, “Certifiably-robust federated adversarial learning via randomized smoothing,” in IEEE 18th International Conference on Mobile Ad Hoc and Smart Systems (MASS), Denver, CO, USA.   IEEE, 2021, pp. 173–179. [Online]. Available: https://doi.org/10.1109/MASS52906.2021.00032
  14. G. Zizzo, A. Rawat, M. Sinn, S. Maffeis, and C. Hankin, “Certified federated adversarial training,” CoRR, vol. abs/2112.10525, 2021. [Online]. Available: https://arxiv.org/abs/2112.10525
  15. D. Shah, P. Dube, S. Chakraborty, and A. Verma, “Adversarial training in communication constrained federated learning,” CoRR, vol. abs/2103.01319, 2021. [Online]. Available: https://arxiv.org/abs/2103.01319
  16. N. Carlini and D. A. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.   IEEE Computer Society, 2017, pp. 39–57. [Online]. Available: https://doi.org/10.1109/SP.2017.49
  17. S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple and accurate method to fool deep neural networks,” in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016, Las Vegas, NV, USA.   IEEE Computer Society, 2016, pp. 2574–2582. [Online]. Available: https://doi.org/10.1109/CVPR.2016.282
  18. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” CoRR, vol. abs/1706.06083, 2017. [Online]. Available: http://arxiv.org/abs/1706.06083
  19. X. Li, K. Huang, W. Yang, S. Wang, and Z. Zhang, “On the convergence of fedavg on non-iid data,” in International Conference on Learning Representations (ICLR), Addis Ababa, Ethiopia, 2020. [Online]. Available: https://openreview.net/forum?id=HJxNAnVtDS
  20. Q. Yang, Y. Liu, T. Chen, and Y. Tong, “Federated machine learning: Concept and applications,” CoRR, vol. abs/1902.04885, 2019. [Online]. Available: http://arxiv.org/abs/1902.04885
  21. N. Shoham, T. Avidor, A. Keren, N. Israel, D. Benditkis, L. Mor-Yosef, and I. Zeitak, “Overcoming forgetting in federated learning on non-iid data,” CoRR, vol. abs/1910.07796, 2019. [Online]. Available: http://arxiv.org/abs/1910.07796
  22. T. Li, A. K. Sahu, M. Zaheer, M. Sanjabi, A. Talwalkar, and V. Smith, “Federated optimization in heterogeneous networks,” in Machine Learning and Systems (MLSys), Austin, TX, USA, I. S. Dhillon, D. S. Papailiopoulos, and V. Sze, Eds., 2020. [Online]. Available: https://proceedings.mlsys.org/book/316.pdf
  23. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in International Conference on Learning Representations (ICLR), Banff, AB, Canada, Y. Bengio and Y. LeCun, Eds., 2014. [Online]. Available: http://arxiv.org/abs/1312.6199
  24. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the inception architecture for computer vision,” in IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA.   IEEE Computer Society, 2016, pp. 2818–2826. [Online]. Available: https://doi.org/10.1109/CVPR.2016.308
  25. J. Lin, L. Dang, M. Rahouti, and K. Xiong, “ML attack models: Adversarial attacks and data poisoning attacks,” CoRR, vol. abs/2112.02797, 2021. [Online]. Available: https://arxiv.org/abs/2112.02797
  26. A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” CoRR, vol. abs/1607.02533, 2016. [Online]. Available: http://arxiv.org/abs/1607.02533
  27. R. Müller, S. Kornblith, and G. E. Hinton, “When does label smoothing help?” in Annual Conference on Neural Information Processing Systems (NeurIPS), Vancouver, BC, Canada, H. M. Wallach, H. Larochelle, A. Beygelzimer, F. d’Alché-Buc, E. B. Fox, and R. Garnett, Eds., 2019, pp. 4696–4705. [Online]. Available: https://proceedings.neurips.cc/paper/2019/hash/f1748d6b0fd9d439f71450117eba2725-Abstract.html
  28. Y. Zhou, J. Wu, and J. He, “Adversarially robust federated learning for neural networks,” 2021.
  29. C. Chen, J. Zhang, and L. Lyu, “Gear: a margin-based federated adversarial training approach,” in International Workshop on Trustable, Verifiable, and Auditable Federated Learning in Conjunction with AAAI, vol. 2022, 2022.
  30. C. Shorten and T. M. Khoshgoftaar, “A survey on image data augmentation for deep learning,” Journal of big data, vol. 6, p. 60, 2019. [Online]. Available: https://doi.org/10.1186/s40537-019-0197-0
  31. B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in International Conference on Artificial Intelligence and Statistics (AISTATS), Fort Lauderdale, FL, USA, ser. Proceedings of Machine Learning Research, A. Singh and X. J. Zhu, Eds., vol. 54.   PMLR, 2017, pp. 1273–1282. [Online]. Available: http://proceedings.mlr.press/v54/mcmahan17a.html
  32. J. Lin, L. L. Njilla, and K. Xiong, “Robust machine learning against adversarial samples at test time,” in IEEE International Conference on Communications (ICC), Dublin, Ireland.   IEEE, 2020, pp. 1–6. [Online]. Available: https://doi.org/10.1109/ICC40277.2020.9149002
  33. M.-I. Nicolae, M. Sinn, M. N. Tran, B. Buesser, A. Rawat, M. Wistuba, V. Zantedeschi, N. Baracaldo, B. Chen, H. Ludwig, I. Molloy, and B. Edwards, “Adversarial robustness toolbox v1.2.0,” CoRR, vol. 1807.01069, 2018. [Online]. Available: https://arxiv.org/pdf/1807.01069
  34. A. Krizhevsky and G. Hinton, “Learning multiple layers of features from tiny images,” 2009.
  35. Y. Li, S. Carabelli, E. Fadda, D. Manerba, R. Tadei, and O. Terzo, “Machine learning and optimization for production rescheduling in industry 4.0,” International Journal of Advanced Manufacturing Technology, vol. 110, no. 9, pp. 2445–2463, Oct 2020. [Online]. Available: https://doi.org/10.1007/s00170-020-05850-5
  36. Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” Proc. IEEE, vol. 86, no. 11, pp. 2278–2324, 1998. [Online]. Available: https://doi.org/10.1109/5.726791
  37. O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein et al., “Imagenet large scale visual recognition challenge,” International journal of computer vision, vol. 115, pp. 211–252, 2015.
  38. H. Xiao, K. Rasul, and R. Vollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,” CoRR, vol. abs/1708.07747, 2017. [Online]. Available: http://arxiv.org/abs/1708.07747
Citations (1)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up