Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cross-Input Certified Training for Universal Perturbations

Changming Xu, Gagandeep Singh

TL;DR

This work proposes a novel method, CITRUS, for certified training of networks robust against UAP attackers, and shows in an extensive evaluation that this method outperforms traditional certified training methods on standard accuracy and achieves SOTA performance on the more practical certified UAP accuracy metric.

Abstract

Existing work in trustworthy machine learning primarily focuses on single-input adversarial perturbations. In many real-world attack scenarios, input-agnostic adversarial attacks, e.g. universal adversarial perturbations (UAPs), are much more feasible. Current certified training methods train models robust to single-input perturbations but achieve suboptimal clean and UAP accuracy, thereby limiting their applicability in practical applications. We propose a novel method, CITRUS, for certified training of networks robust against UAP attackers. We show in an extensive evaluation across different datasets, architectures, and perturbation magnitudes that our method outperforms traditional certified training methods on standard accuracy (up to 10.3\%) and achieves SOTA performance on the more practical certified UAP accuracy metric.

Cross-Input Certified Training for Universal Perturbations

TL;DR

This work proposes a novel method, CITRUS, for certified training of networks robust against UAP attackers, and shows in an extensive evaluation that this method outperforms traditional certified training methods on standard accuracy and achieves SOTA performance on the more practical certified UAP accuracy metric.

Abstract

Existing work in trustworthy machine learning primarily focuses on single-input adversarial perturbations. In many real-world attack scenarios, input-agnostic adversarial attacks, e.g. universal adversarial perturbations (UAPs), are much more feasible. Current certified training methods train models robust to single-input perturbations but achieve suboptimal clean and UAP accuracy, thereby limiting their applicability in practical applications. We propose a novel method, CITRUS, for certified training of networks robust against UAP attackers. We show in an extensive evaluation across different datasets, architectures, and perturbation magnitudes that our method outperforms traditional certified training methods on standard accuracy (up to 10.3\%) and achieves SOTA performance on the more practical certified UAP accuracy metric.
Paper Structure (10 sections, 1 theorem, 8 equations)

This paper contains 10 sections, 1 theorem, 8 equations.

Table of Contents

  1. Introduction
  2. Background
  3. Adversarial Perturbations and Robustness
  4. Universal Adversarial Perturbations
  5. Neural Network Verification
  6. Training for Robustness
  7. Certified Training
  8. Certified Training for Universal Perturbations
  9. UAP Training Objective
  10. $k$-Common Perturbations

Key Result

theorem 1

Given $\mathcal{X}\subseteq \mathbb{R}^{d_{\text{in}}}\times\mathbb{N}$, network $f:\mathbb{R}^{d_{\text{in}}}\to\mathbb{R}^{d_{\text{out}}}$, $\mathbf{u}^\ast$ as defined in eq:uast, and norm-bound $\epsilon \in \mathbb{R}$. Let $\kappa^\ast = \hat{\Psi}_{\mathcal{X}, f}(\mathbf{u}^\ast)$ and $\mat

Theorems & Definitions (4)

  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • theorem 1