Robust Deep Learning Models against Semantic-Preserving Adversarial Attack

Zhao, Y; Gao, D; Yao, Y; Zhang, Z; Mao, B; Yao, X

Robust Deep Learning Models against Semantic-Preserving Adversarial Attack

Zhao, Y Gao, D Yao, Y Zhang, Z Mao, B Yao, X

Permalink

Publisher:: IEEE
Publication Type:: Conference Proceeding
Citation:: 2023 International Joint Conference on Neural Networks (IJCNN), 2023, 00, pp. 1-8
Issue Date:: 2023-01-01

Closed Access

	Filename	Description	Size
	2304.03955v1.pdf	Submitted version	7.28 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Zhao, Y
dc.contributor.author	Gao, D
dc.contributor.author	Yao, Y
dc.contributor.author	Zhang, Z
dc.contributor.author	Mao, B
dc.contributor.author	Yao, X
dc.date	2023-06-18
dc.date.accessioned	2024-06-20T02:34:17Z
dc.date.available	2024-06-20T02:34:17Z
dc.date.issued	2023-01-01
dc.identifier.citation	2023 International Joint Conference on Neural Networks (IJCNN), 2023, 00, pp. 1-8
dc.identifier.isbn	978-1-6654-8867-9
dc.identifier.issn	2161-4393
dc.identifier.uri	http://hdl.handle.net/10453/179589
dc.description.abstract	Deep learning models can be fooled by small l(p)-norm adversarial perturbations and natural perturbations in terms of attributes. Although the robustness against each perturbation has been explored, it remains a challenge to address the robustness against joint perturbations effectively. In this paper, we study the robustness of deep learning models against joint perturbations by proposing a novel attack mechanism named Semantic-Preserving Adversarial (SPA) attack, which can then be used to enhance adversarial training. Specifically, we introduce an attribute manipulator to generate natural and human-comprehensible perturbations and a noise generator to generate diverse adversarial noises. Based on such combined noises, we optimize both the attribute value and the diversity variable to generate jointlyperturbed samples. For robust training, we adversarially train the deep learning model against the generated joint perturbations. Empirical results on four benchmarks show that the SPA attack causes a larger performance decline with small l1 norm-ball constraints compared to existing approaches. Furthermore, our SPA-enhanced training outperforms existing defense methods against such joint perturbations.
dc.language	en
dc.publisher	IEEE
dc.relation.ispartof	2023 International Joint Conference on Neural Networks (IJCNN)
dc.relation.ispartof	International Joint Conference on Neural Networks
dc.relation.isbasedon	10.1109/IJCNN54540.2023.10191198
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Robust Deep Learning Models against Semantic-Preserving Adversarial Attack
dc.type	Conference Proceeding
utslib.citation.volume	00
utslib.location.activity	Broadbeach, Australia
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
pubs.consider-herdc	false
dc.date.updated	2024-06-20T02:34:15Z
pubs.finish-date	2023-06-23
pubs.place-of-publication	Piscataway, USA
pubs.publication-status	Published
pubs.start-date	2023-06-18
pubs.volume	00
dc.location	Piscataway, USA

Abstract:

Deep learning models can be fooled by small l(p)-norm adversarial perturbations and natural perturbations in terms of attributes. Although the robustness against each perturbation has been explored, it remains a challenge to address the robustness against joint perturbations effectively. In this paper, we study the robustness of deep learning models against joint perturbations by proposing a novel attack mechanism named Semantic-Preserving Adversarial (SPA) attack, which can then be used to enhance adversarial training. Specifically, we introduce an attribute manipulator to generate natural and human-comprehensible perturbations and a noise generator to generate diverse adversarial noises. Based on such combined noises, we optimize both the attribute value and the diversity variable to generate jointlyperturbed samples. For robust training, we adversarially train the deep learning model against the generated joint perturbations. Empirical results on four benchmarks show that the SPA attack causes a larger performance decline with small l1 norm-ball constraints compared to existing approaches. Furthermore, our SPA-enhanced training outperforms existing defense methods against such joint perturbations.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/179589