Loading…
Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks
Adversarial examples are perturbed inputs that are designed (from a deep learning network's (DLN) parameter gradients) to mislead the DLN during test time. Intuitively, constraining the dimensionality of inputs or parameters of a network reduces the "space" in which adversarial exampl...
Saved in:
| Published in: | IEEE access 2019, Vol.7, p.70157-70168 |
|---|---|
| Main Authors: | , , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Citations: | Items that this one cites Items that cite this one |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13 |
|---|---|
| cites | cdi_FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13 |
| container_end_page | 70168 |
| container_issue | |
| container_start_page | 70157 |
| container_title | IEEE access |
| container_volume | 7 |
| creator | Panda, Priyadarshini Chakraborty, Indranil Roy, Kaushik |
| description | Adversarial examples are perturbed inputs that are designed (from a deep learning network's (DLN) parameter gradients) to mislead the DLN during test time. Intuitively, constraining the dimensionality of inputs or parameters of a network reduces the "space" in which adversarial examples exist. Guided by this intuition, we demonstrate that discretization greatly improves the robustness of the DLNs against adversarial attacks. Specifically, discretizing the input space (or allowed pixel levels from 256 values or 8 bit to 4 values or 2 bit ) extensively improves the adversarial robustness of the DLNs for a substantial range of perturbations for minimal loss in test accuracy. Furthermore, we find that binary neural networks (BNNs) and related variants are intrinsically more robust than their full precision counterparts in adversarial scenarios. Combining input discretization with the BNNs furthers the robustness, even waiving the need for adversarial training for the certain magnitude of perturbation values. We evaluate the effect of discretization on MNIST, CIFAR10, CIFAR100, and ImageNet datasets. Across all datasets, we observe maximal adversarial resistance with 2 bit input discretization that incurs an adversarial accuracy loss of just ~1% - 2% as compared to clean test accuracy against single-step attacks. We also show standalone discretization remains vulnerable to stronger multi-step attack scenarios necessitating the use of adversarial training with discretization as an improved defense strategy. |
| doi_str_mv | 10.1109/ACCESS.2019.2919463 |
| format | article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1109_ACCESS_2019_2919463</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8723317</ieee_id><doaj_id>oai_doaj_org_article_8094aca3bae2415faa22c3aba4d9b10f</doaj_id><sourcerecordid>2455611816</sourcerecordid><originalsourceid>FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13</originalsourceid><addsrcrecordid>eNpNUctu2zAQFIoGqJH4C3whkLNdPkXxqLppasBBD05yJVbk0qHriikpB2i_vnIUBN3LPjAzu9ipqgWjK8ao-dyu1ze73YpTZlbcMCNr8aGacVabpVCi_vhf_amal3KgYzTjSOlZ9fg1FpdxiH9hiKknX6CgJ7t0PJ3bQkLKZIfulJHcgXuKPZItQu5jvyftHmJfBtL6F8wFcoQjaYcB3M9yVV0EOBacv-XL6uHbzf36-3L743azbrdLJ7UclqGhujGaS6W9F0qH2kvN6-AdNgxAnFGKBaxdJ6kwiio0Bn3ndd0F9ExcVptJ1yc42Occf0H-YxNE-zpIeW8hD9Ed0TbUSHAgOkAumQoAnDsBHUhvOkbDqHU9aT3n9PuEZbCHdMr9eL4dD1Q1Y-PTRpSYUC6nUjKG962M2rMfdvLDnv2wb36MrMXEioj4zmg0F4Jp8Q_V2Icx</addsrcrecordid><sourcetype>Open Website</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2455611816</pqid></control><display><type>article</type><title>Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks</title><source>IEEE Xplore Open Access Journals</source><creator>Panda, Priyadarshini ; Chakraborty, Indranil ; Roy, Kaushik</creator><creatorcontrib>Panda, Priyadarshini ; Chakraborty, Indranil ; Roy, Kaushik</creatorcontrib><description><![CDATA[Adversarial examples are perturbed inputs that are designed (from a deep learning network's (DLN) parameter gradients) to mislead the DLN during test time. Intuitively, constraining the dimensionality of inputs or parameters of a network reduces the "space" in which adversarial examples exist. Guided by this intuition, we demonstrate that discretization greatly improves the robustness of the DLNs against adversarial attacks. Specifically, discretizing the input space (or allowed pixel levels from 256 values or 8<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> to 4 values or 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula>) extensively improves the adversarial robustness of the DLNs for a substantial range of perturbations for minimal loss in test accuracy. Furthermore, we find that binary neural networks (BNNs) and related variants are intrinsically more robust than their full precision counterparts in adversarial scenarios. Combining input discretization with the BNNs furthers the robustness, even waiving the need for adversarial training for the certain magnitude of perturbation values. We evaluate the effect of discretization on MNIST, CIFAR10, CIFAR100, and ImageNet datasets. Across all datasets, we observe maximal adversarial resistance with 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> input discretization that incurs an adversarial accuracy loss of just ~1% - 2% as compared to clean test accuracy against single-step attacks. We also show standalone discretization remains vulnerable to stronger multi-step attack scenarios necessitating the use of adversarial training with discretization as an improved defense strategy.]]></description><identifier>ISSN: 2169-3536</identifier><identifier>EISSN: 2169-3536</identifier><identifier>DOI: 10.1109/ACCESS.2019.2919463</identifier><identifier>CODEN: IAECCG</identifier><language>eng</language><publisher>Piscataway: IEEE</publisher><subject>Accuracy ; Adversarial robustness ; binarized neural networks ; Data models ; Datasets ; deep learning ; Discretization ; discretization techniques ; Machine learning ; Manifolds ; Neural networks ; Parameters ; Perturbation ; Perturbation methods ; Predictive models ; Robustness ; Training</subject><ispartof>IEEE access, 2019, Vol.7, p.70157-70168</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2019</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13</citedby><cites>FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13</cites><orcidid>0000-0002-4167-6782</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8723317$$EHTML$$P50$$Gieee$$Hfree_for_read</linktohtml><link.rule.ids>314,776,780,4010,27610,27900,27901,27902,54908</link.rule.ids></links><search><creatorcontrib>Panda, Priyadarshini</creatorcontrib><creatorcontrib>Chakraborty, Indranil</creatorcontrib><creatorcontrib>Roy, Kaushik</creatorcontrib><title>Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks</title><title>IEEE access</title><addtitle>Access</addtitle><description><![CDATA[Adversarial examples are perturbed inputs that are designed (from a deep learning network's (DLN) parameter gradients) to mislead the DLN during test time. Intuitively, constraining the dimensionality of inputs or parameters of a network reduces the "space" in which adversarial examples exist. Guided by this intuition, we demonstrate that discretization greatly improves the robustness of the DLNs against adversarial attacks. Specifically, discretizing the input space (or allowed pixel levels from 256 values or 8<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> to 4 values or 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula>) extensively improves the adversarial robustness of the DLNs for a substantial range of perturbations for minimal loss in test accuracy. Furthermore, we find that binary neural networks (BNNs) and related variants are intrinsically more robust than their full precision counterparts in adversarial scenarios. Combining input discretization with the BNNs furthers the robustness, even waiving the need for adversarial training for the certain magnitude of perturbation values. We evaluate the effect of discretization on MNIST, CIFAR10, CIFAR100, and ImageNet datasets. Across all datasets, we observe maximal adversarial resistance with 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> input discretization that incurs an adversarial accuracy loss of just ~1% - 2% as compared to clean test accuracy against single-step attacks. We also show standalone discretization remains vulnerable to stronger multi-step attack scenarios necessitating the use of adversarial training with discretization as an improved defense strategy.]]></description><subject>Accuracy</subject><subject>Adversarial robustness</subject><subject>binarized neural networks</subject><subject>Data models</subject><subject>Datasets</subject><subject>deep learning</subject><subject>Discretization</subject><subject>discretization techniques</subject><subject>Machine learning</subject><subject>Manifolds</subject><subject>Neural networks</subject><subject>Parameters</subject><subject>Perturbation</subject><subject>Perturbation methods</subject><subject>Predictive models</subject><subject>Robustness</subject><subject>Training</subject><issn>2169-3536</issn><issn>2169-3536</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>ESBDL</sourceid><sourceid>DOA</sourceid><recordid>eNpNUctu2zAQFIoGqJH4C3whkLNdPkXxqLppasBBD05yJVbk0qHriikpB2i_vnIUBN3LPjAzu9ipqgWjK8ao-dyu1ze73YpTZlbcMCNr8aGacVabpVCi_vhf_amal3KgYzTjSOlZ9fg1FpdxiH9hiKknX6CgJ7t0PJ3bQkLKZIfulJHcgXuKPZItQu5jvyftHmJfBtL6F8wFcoQjaYcB3M9yVV0EOBacv-XL6uHbzf36-3L743azbrdLJ7UclqGhujGaS6W9F0qH2kvN6-AdNgxAnFGKBaxdJ6kwiio0Bn3ndd0F9ExcVptJ1yc42Occf0H-YxNE-zpIeW8hD9Ed0TbUSHAgOkAumQoAnDsBHUhvOkbDqHU9aT3n9PuEZbCHdMr9eL4dD1Q1Y-PTRpSYUC6nUjKG962M2rMfdvLDnv2wb36MrMXEioj4zmg0F4Jp8Q_V2Icx</recordid><startdate>2019</startdate><enddate>2019</enddate><creator>Panda, Priyadarshini</creator><creator>Chakraborty, Indranil</creator><creator>Roy, Kaushik</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>ESBDL</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7SR</scope><scope>8BQ</scope><scope>8FD</scope><scope>JG9</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>DOA</scope><orcidid>https://orcid.org/0000-0002-4167-6782</orcidid></search><sort><creationdate>2019</creationdate><title>Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks</title><author>Panda, Priyadarshini ; Chakraborty, Indranil ; Roy, Kaushik</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Accuracy</topic><topic>Adversarial robustness</topic><topic>binarized neural networks</topic><topic>Data models</topic><topic>Datasets</topic><topic>deep learning</topic><topic>Discretization</topic><topic>discretization techniques</topic><topic>Machine learning</topic><topic>Manifolds</topic><topic>Neural networks</topic><topic>Parameters</topic><topic>Perturbation</topic><topic>Perturbation methods</topic><topic>Predictive models</topic><topic>Robustness</topic><topic>Training</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Panda, Priyadarshini</creatorcontrib><creatorcontrib>Chakraborty, Indranil</creatorcontrib><creatorcontrib>Roy, Kaushik</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE Xplore Open Access Journals</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998–Present</collection><collection>IEEE Xplore</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>DOAJ Directory of Open Access Journals</collection><jtitle>IEEE access</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Panda, Priyadarshini</au><au>Chakraborty, Indranil</au><au>Roy, Kaushik</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks</atitle><jtitle>IEEE access</jtitle><stitle>Access</stitle><date>2019</date><risdate>2019</risdate><volume>7</volume><spage>70157</spage><epage>70168</epage><pages>70157-70168</pages><issn>2169-3536</issn><eissn>2169-3536</eissn><coden>IAECCG</coden><abstract><![CDATA[Adversarial examples are perturbed inputs that are designed (from a deep learning network's (DLN) parameter gradients) to mislead the DLN during test time. Intuitively, constraining the dimensionality of inputs or parameters of a network reduces the "space" in which adversarial examples exist. Guided by this intuition, we demonstrate that discretization greatly improves the robustness of the DLNs against adversarial attacks. Specifically, discretizing the input space (or allowed pixel levels from 256 values or 8<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> to 4 values or 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula>) extensively improves the adversarial robustness of the DLNs for a substantial range of perturbations for minimal loss in test accuracy. Furthermore, we find that binary neural networks (BNNs) and related variants are intrinsically more robust than their full precision counterparts in adversarial scenarios. Combining input discretization with the BNNs furthers the robustness, even waiving the need for adversarial training for the certain magnitude of perturbation values. We evaluate the effect of discretization on MNIST, CIFAR10, CIFAR100, and ImageNet datasets. Across all datasets, we observe maximal adversarial resistance with 2<inline-formula> <tex-math notation="LaTeX">bit </tex-math></inline-formula> input discretization that incurs an adversarial accuracy loss of just ~1% - 2% as compared to clean test accuracy against single-step attacks. We also show standalone discretization remains vulnerable to stronger multi-step attack scenarios necessitating the use of adversarial training with discretization as an improved defense strategy.]]></abstract><cop>Piscataway</cop><pub>IEEE</pub><doi>10.1109/ACCESS.2019.2919463</doi><tpages>12</tpages><orcidid>https://orcid.org/0000-0002-4167-6782</orcidid><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 2169-3536 |
| ispartof | IEEE access, 2019, Vol.7, p.70157-70168 |
| issn | 2169-3536 2169-3536 |
| language | eng |
| recordid | cdi_crossref_primary_10_1109_ACCESS_2019_2919463 |
| source | IEEE Xplore Open Access Journals |
| subjects | Accuracy Adversarial robustness binarized neural networks Data models Datasets deep learning Discretization discretization techniques Machine learning Manifolds Neural networks Parameters Perturbation Perturbation methods Predictive models Robustness Training |
| title | Discretization Based Solutions for Secure Machine Learning Against Adversarial Attacks |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-01T09%3A58%3A56IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Discretization%20Based%20Solutions%20for%20Secure%20Machine%20Learning%20Against%20Adversarial%20Attacks&rft.jtitle=IEEE%20access&rft.au=Panda,%20Priyadarshini&rft.date=2019&rft.volume=7&rft.spage=70157&rft.epage=70168&rft.pages=70157-70168&rft.issn=2169-3536&rft.eissn=2169-3536&rft.coden=IAECCG&rft_id=info:doi/10.1109/ACCESS.2019.2919463&rft_dat=%3Cproquest_cross%3E2455611816%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c474t-f8078972457dd357f6d4726fdce81aa3c47451fe6cb4039505e99edbd76bfed13%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2455611816&rft_id=info:pmid/&rft_ieee_id=8723317&rfr_iscdi=true |