On Reducing Adversarial Vulnerability with Data Dependent Stochastic Resonance David Schwartz(1) and Gregory Ditzler(2) (1)Department of Electrical & Computer Engineering, University of Arizona, [email protected] (2)Department of Electrical & Computer Engineering, Rowan University, [email protected] 

Overview of the Talk Introduction & Problem Set Up Proposed Approach: DDSR: A New Stochastic Layer Experimental Results Conclusions 

Adversarial Machine Learning Adversary Attack Detector Defense Detector Defender Knowledg e [Data] Strength [Algorithm] Attack System Target System Dataset [Data] Classifier [Algorithm] Attack Defense Mutation Mutation T. Brown and C. Olsson, “Introducing the Unrestricted Adversarial Examples Challenge,” https://ai.googleblog.com/2018/09/introducing-unrestricted-adversarial.html 2018. 

Related Work ● Adversarial Training: Several works have proposed variations of using adversarial examples to train. Unfortunately, these methods have limited efficacy against unknown attacks and increase training time. ● Regularization: Recent work has shown there is a relationship between the Fisher information matrix and the change in the posterior. ● Latent Disparity Regularization: We proposed LDR to add a term to the cost function that minimizes the disparity between the latent representations of a sample and its adversarial representation. 

Latent Disparity Regularization (Prior Work) ● We introduced LDR as an approach to improve adversarial training. ● LDR penalizes the training objective proportionally to the discrepancy between hidden activations induced by benign and adversarial examples ● Investigations reported in our prior work showed that LDR improves adversarial robustness for the price of a small, but statistically significant, sacrifice in benign accuracy ● Similar to adversarial training, there is an increased complexity with the approach since adversarial samples need to be generated. D. Schwartz and G. Ditzler, “Bolstering Adversarial Robustness with Latent Disparity Regularization,” IEEE/INNS International Joint Conference on Neural Networks, 2021. 

Latent Disparity Regularization (Prior Work) D. Schwartz and G. Ditzler, “Bolstering Adversarial Robustness with Latent Disparity Regularization,” IEEE/INNS International Joint Conference on Neural Networks, 2021. 

Problem Set Up ● Knowledge: We assume that the adversary has complete knowledge of the defender in this work. This is known as a white-box attack. ○ The adversary has access to the defender’s data and model (i.e., network type, weights, biases, etc.) ○ The white-box attack is the most difficult to defend against because the adversary has the most knowledge ● The adversary generates adversarial attack as test time, which is referred to as an evasion attack. ● Motivation: Small modifications to network architecture have shown performance improvement (e.g., ResNet). What straightforward modification to a network can we make that adds some randomness that achieves adversarial robustness? 

DDSR: Visualizing the Stochastic Layer ● We present a Data Dependent Stochastic Resonance (DDSR) layer to achieve performance gains ● Similar to a ResNet’s skip connections, we add a representation, x, to noisy nonlinearly-transformed representation of the previous layer’s activity. ● Formally, 

DDSR: Benefits ● Input images perturbed with additive stochastic noise have not been able to provide performance gains alone to defend against adversarial noise. ○ The additive noise is typically placed at the input; however, other works have looked at noise at different areas of a network (e.g., output nodes, or dropout@evaluation) ○ Adding too much noise to an input can actually degrade the benign performance ● Like ResNet, DDSR is a modification to the convolutional layers of the network. The advantage is that this type of layer was shown to empirically enhance adversarial robustness. ● The DDSR layer can easily be combined with adversarial training to improve the robustness. 

Experimental Setup ● We conducted the experiments using a VGG16 backbone. ● Datasets: We use the Fashion-MNIST and CIFAR10 datasets. The adversary uses the network of the defender to generate the adversarial samples using FGSM. The adversary generates samples using different budgets, 𝟄. ● Assessment: We report the accuracy and % gain in performance. Performance is reported after 10 fold cross-validation. 

Results: Adversarial Accuracy (+small epsilon) 

Results: Adversarial Accuracy Gain 

Result: Performance Under AWGN “Attacks” 

Result: Performance Under AWGN “Attacks” 

Result: Error amplification 

Conclusions ● This work presents DDSR, which incorporates stochastic layers in a network, resulting in performance gains under adversarial and Gaussian perturbations ● The results show that DDSR is an effective defense against FGSM attacks compared to other adversarial defensive measures at training time. ○ DDSR displayed the largest adversarial accuracy over all budgets tested with only an insignificant deterioration in benign accuracy compared to AGN, FIM, LDR, and HGD. ○ On AGN-perturbed data, DDSR is competitive with LDR for small budgets and slightly less robust as compared to LDR for large budgets. ● Another observation we made in this work is that the perturbation error propagates through successive layers except with DDSR. ○ In fact, the consistency of DDSR’s effect on error amplification may suggest a detection mechanism for adversarial examples 

Thanks for your time! This work was supported by grants from the Department of Energy #DE-NA0003946 and National Science Foundation's CAREER #1943552. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.