Abstract
There has been extensive evidence demonstrating that deep neural networks are vulnerable to adversarial examples, which motivates the development of defenses against adversarial attacks. Existing adversarial defenses typically improve model robustness against individual specific perturbation types (e.g., \(\ell _{\infty }\)-norm bounded adversarial examples). However, adversaries are likely to generate multiple types of perturbations in practice (e.g., \(\ell _1\), \(\ell _2\), and \(\ell _{\infty }\) perturbations). Some recent methods improve model robustness against adversarial attacks in multiple \(\ell _p\) balls, but their performance against each perturbation type is still far from satisfactory. In this paper, we observe that different \(\ell _p\) bounded adversarial perturbations induce different statistical properties that can be separated and characterized by the statistics of Batch Normalization (BN). We thus propose Gated Batch Normalization (GBN) to adversarially train a perturbation-invariant predictor for defending multiple \(\ell _p\) bounded adversarial perturbations. GBN consists of a multi-branch BN layer and a gated sub-network. Each BN branch in GBN is in charge of one perturbation type to ensure that the normalized output is aligned towards learning perturbation-invariant representation. Meanwhile, the gated sub-network is designed to separate inputs added with different perturbation types. We perform an extensive evaluation of our approach on commonly-used dataset including MNIST, CIFAR-10, and Tiny-ImageNet, and demonstrate that GBN outperforms previous defense proposals against multiple perturbation types (i.e., \(\ell _1\), \(\ell _2\), and \(\ell _{\infty }\) perturbations) by large margins.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
In this work, we consider \(N=3\) adversarial perturbation types: \(\ell _1, \ell _2\), and \(\ell _{\infty }\).
ABS considers the \(\ell _0\) perturbations, which are subsumed within the \(\ell _1\) ball of the same radius. Meanwhile, ABS is only designed for MNIST. Due to the limited code, we use the results reported in (Schott et al., 2019).
References
Asano, Y. M., Rupprecht, C., & Vedaldi, A. (2020). A critical analysis of self-supervision, or what we can learn from a single image.
Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning.
Ba, J. L., Kiros, J. R., & Hinton, G. E. (2016). Layer normalization. arXiv preprint arXiv:1607.06450.
Bahdanau, D., Cho, K., & Bengio, Y. (2014). Neural machine translation by jointly learning to align and translate. arXiv preprint arXiv:1409.0473.
Benz, P., Zhang, C., Karjauv, A., & Kweon, I.S. (2021). Revisiting batch normalization for improving corruption robustness. In WACV.
Brendel, W., Rauber, J., & Bethge, M. (2018). Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations.
Brendel, W., Rauber, J., Kümmerer, M., Ustyuzhaninov, I., & Bethge, M. (2019). Accurate, reliable and fast robustness evaluation. In Advances in Neural Information Processing Systems.
Brown, T. B., Mané, Dandelion, R., Aurko, A., Martín, & Gilmer, J. (2017). Adversarial patch. arXiv preprint arXiv:1712.09665.
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy.
Chang, W.-G., You, T., Seo, S., Kwak, S., & Han, B. (2019). Domain-specific batch normalization for unsupervised domain adaptation. In IEEE Conference on Computer Vision and Pattern Recognition.
Cisse, M., Bojanowski, P., Grave, E., Dauphin, Y., & Usunier, N. (2017). Parseval networks: Improving robustness to adversarial examples. In International Conference on Machine Learning.
Croce, F., & Hein, M. (2020). Provable robustness against all adversarial \(l_p\)-perturbations for \(p \ge 1\).
Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks.
Croce, F., Rauber, J., & Hein, M. (2020). Scaling up the randomized gradient-free adversarial attack reveals overestimation of robustness using established attacks. International Journal of Computer Vision.
de Vries, H., Strub, F., Mary, J., Larochelle, H., Pietquin, O., & Courville, A. C. (2017). In Advances in Neural Information Processing Systems.
Deecke, L., Murray, I., & Bilen, H. (2019). Mode normalization.
Dong, Y., Liao, F., Pang, T., & Su, H. (2018). Boosting adversarial attacks with momentum. In IEEE Conference on Computer Vision and Pattern Recognition.
Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., et al. (2020). An image is worth 16x16 words: Transformers for image recognition at scale. In International Conference on Learning Representations.
Duan, R., Mao, X., Kai Qin, A., Chen, Y., Ye, S., He, Y., & Yang, Y. (2021). Adversarial laser beam: Effective physical-world attack to DNNS in a blink. In CVPR.
Engstrom, L., Ilyas, A., & Athalye, A. (2018). Evaluating and understanding the robustness of adversarial logit pairing. arXiv preprint arXiv:1807.10272.
Goodfellow, I.J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples (2014). arXiv preprint arXiv:1412.6572.
Goswami, G., Agarwal, A., Ratha, N., Singh, R., & Vatsa, M. (2019). Detecting and mitigating adversarial perturbations for robust face recognition. International Journal of Computer Vision.
He, K., Zhang, X., Ren, S., & Sun, J. (2016). Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition.
Hinton, G., Deng, L., Yu, D., Dahl, G.E., Mohamed, A., Jaitly, N., Senior, A., Vanhoucke, V., Nguyen, P., & Sainath, T.N. (2012). Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Signal Processing Magazine.
Huang, X., & Belongie, S. (2017). Arbitrary style transfer in real-time with adaptive instance normalization.
Huang, L., Qin, J., Zhou, Y., Zhu, F., Liu, L., & Shao, L. (2020). Normalization techniques in training dnns: Methodology, analysis and application. arXiv preprint arXiv:2009.12836.
Ioffe, S., & Szegedy, C. (2015). Batch normalization: Accelerating deep network training by reducing internal covariate shift. In International Conference on Machine Learning.
Kang, D., Sun, Y., Hendrycks, D., Brown, T., & Steinhardt, J. (2019). Testing robustness against unforeseen adversaries. arXiv preprint arXiv:1908.08016.
Krizhevsky, A., & Hinton, G. (2009). Learning multiple layers of features from tiny images. Technical report, Citeseer.
Krizhevsky, A., Sutskever, I., & Hinton, G.E. (2012). Imagenet classification with deep convolutional neural networks.
Kurakin, Alexey, Goodfellow, Ian, & Bengio, Samy. (2017). Adversarial machine learning at scale.
Kurakin, A., Goodfellow, I., & Bengio, S. (2016). Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533.
Laidlaw, C., Singla, S., & Feizi, S. (2021). Perceptual adversarial robustness: Defense against unseen threat models. In International Conference on Learning Representations.
LeCun, Y. (1998). The mnist database of handwritten digits. http://yann.lecun.com/exdb/mnist/.
LeCun, Y., Bottou, L., Bengio, Y., & Haffner, P. (1998). Gradient-based learning applied to document recognition. In Proceedings of the IEEE.
Li, Y., Li, L., Wang, L., Zhang, T., & Gong, B. (2019). Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In International Conference on Machine Learning.
Li, Y., Wang, N., Shi, J., Liu, J., & Hou, X. (2017). Revisiting batch normalization for practical domain adaptation.
Li, B., Wu, B., Su, J., & Wang, G. (2020). Fast sub-net evaluation for efficient neural network pruning: Eagleeye. In ECCV.
Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., & Zhu, J. (2018). Defense against adversarial attacks using high-level representation guided denoiser. In IEEE Conference on Computer Vision and Pattern Recognition.
Lin, W.-A., Lau, C.P., Levine, A., Chellappa, R., & Feizi, S. (2020). Dual manifold adversarial robustness: Defense against lp and non-lp adversarial attacks. In Advances in Neural Information Processing Systems.
Liu, A., Huang, T., Liu, X., Xu, Y., Ma, Y., Chen, X., Maybank, S., & Tao, D. (2020). Spatiotemporal attacks for embodied agents. In European Conference on Computer Vision.
Liu, A., Liu, X., Fan, J., Ma, Y., Zhang, A., Xie, H., & Tao, D. (2019). Perceptual-sensitive GAN for generating adversarial patches. In 33rd AAAI Conference on Artificial Intelligence.
Liu, A., Liu, X., Zhang, C., Yu, H., Liu, Q., & Tao, D. (2021). Training robust deep neural networks via adversarial noise propagation. IEEE Transactions on Image Processing.
Liu, A., Wang, J., Liu, X., Cao, B., Zhang, C., & Yu, H. (2020). Bias-based universal adversarial patch attack for automatic check-out. In ECCV.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks.
Maini, P., Chen, X., Li, B., Song, D. (2020). Perturbation type categorization for multiple \(\ell _p\) bounded adversarial robustness.
Maini, P., Wong, E., & Kolter, Z. J. (2020). Adversarial robustness against the union of multiple perturbation model.
Metzen, J. H., Fischer, V., & Bischoff, B. (2018). On detecting adversarial perturbations.
Papernot, N., Mcdaniel, P., Wu, X., Jha, S., & Swami, A. (2015). Distillation as a defense to adversarial perturbations against deep neural networks. arXiv preprint arXiv:1511.04508.
Rauber, J., Brendel, W., & Bethge, M. (2017). Foolbox: A python toolbox to benchmark the robustness of machine learning models.
Schott, L., Rauber, J., Bethge, M., & Brendel, W. (2019). Towards the first adversarially robust neural network model on MNIST.
Shao, R., Perera, P., Yuen, P. C., & Patel, V. M. (2022). Open-set adversarial defense with clean-adversarial mutual learning. International Journal of Computer Vision.
Simonyan, K., & Zisserman, A. (2015). Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199.
Tang, S., Gong, R., Wang, Y., Liu, A., Wang, J., Chen, X., Yu, F., Liu, X., Song, D., Yuille, A., Torr, P. H. S., & Tao, D. (2021). Robustart: Benchmarking robustness on architecture design and training techniques. https://arxiv.org/pdf/2109.05211.pdf.
Tramèr, F., & Boneh, D. (2019). Adversarial training and robustness for multiple perturbations. In Advances in Neural Information Processing Systems.
Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., & Madry, A. (2019). Robustness may be at odds with accuracy.
Uesato, J., O’Donoghue, B., van den Oord, A., & Kohli, P. (2018). Adversarial risk and the dangers of evaluating against weak attacks. In International Conference on Machine Learning.
Ulyanov, D., Vedaldi, A., & Lempitsky, V. S. (2016). Instance normalization: The missing ingredient for fast stylization. arXiv preprint arXiv:1607.08022.
Van Der Laurens, M., & Hinton, G. (2008). Visualizing data using t-sne. Journal of Machine Learning Research.
Wang, J., Liu, A., Yin, Z., Liu, S., Tang, S., & Liu, X. (2021). Dual attention suppression attack: Generate adversarial camouflage in physical world. In CVPR.
Wei, X., Yan, H., & Li, B. (2022). Sparse black-box video attack with reinforcement learning. International Journal of Computer Vision.
Wu, Y., & He, K. (2018). Group normalization. In European Conference on Computer Vision.
Wu, J., Zhang, Q., & Xu, G. (2017). Tiny imagenet challenge.
Xie, C., & Yuille, A. (2020). Intriguing properties of adversarial training at scale.
Xie, C., Tan, M., Gong, B., Wang, J., Yuille, A.L., & Le, Q. V. (2020). Adversarial examples improve image recognition. In IEEE Conference on Computer Vision and Pattern Recognition.
Xie, C., Wang, J., Zhang, Z., Ren, Z., & Yuille, A. (2018). Mitigating adversarial effects through randomization.
Yin, D., Lopes, G. R., Shlens, J., Ekin Cubuk, D., & Gilmer, J. (2019). A fourier perspective on model robustness in computer vision. In Advances in Neural Information Processing Systems.
Zagoruyko, S., & Komodakis, N. (2016). Wide residual networks. In The British Machine Vision Conference.
Zhang, C., Liu, A., Liu, X., Xu, Y., Yu, H., Ma, Y., & Li, T. (2020). Interpreting and improving adversarial robustness with neuron sensitivity. IEEE Transactions on Image Processing.
Zhang, H., Yu, Y., Jiao, J., Xing, E. P., Ghaoui, L. E., & Jordan, M. I. (2019). Theoretically principled trade-off between robustness and accuracy.
Acknowledgements
This work was supported by National Natural Science Foundation of China (62206009, 62022009, and 61872021), and the National Key Research and Development Plan of China (2020AAA0103502).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Bernhard Egger.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Liu, A., Tang, S., Chen, X. et al. Towards Defending Multiple \(\ell _p\)-Norm Bounded Adversarial Perturbations via Gated Batch Normalization. Int J Comput Vis 132, 1881–1898 (2024). https://doi.org/10.1007/s11263-023-01884-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11263-023-01884-w