ASK: Adversarial Soft k-Nearest Neighbor Attack and Defense

K-Nearest Neighbor (kNN)-based deep learning methods have been applied to many applications due to their simplicity and geometric interpretability. However, the robustness of kNN-based deep classification models has not been thoroughly explored and kNN attack strategies are underdeveloped. In this paper, we first propose an Adversarial Soft kNN (ASK) loss for developing more effective kNN-based deep neural network attack strategies and designing better defense methods against them. Our ASK loss provides a differentiable surrogate of the expected kNN classification error. It is also interpretable as it preserves the mutual information between the perturbed input and the in-class-reference data. We use the ASK loss to design a novel attack method called the ASK-Attack (ASK-Atk), which shows superior attack efficiency and accuracy degradation relative to previous kNN attacks on hidden layers. We then derive an ASK-Defense (ASK-Def) method that optimizes the worst-case ASK training loss. Experiments on CIFAR-10 (ImageNet) show that (i) ASK-Atk achieves <inline-formula> <tex-math notation="LaTeX">$\geq 13\%$ </tex-math></inline-formula> (<inline-formula> <tex-math notation="LaTeX">$\geq 13\%$ </tex-math></inline-formula>) improvement in attack success rate over previous kNN attacks, and (ii) ASK-Def outperforms the conventional adversarial training method by <inline-formula> <tex-math notation="LaTeX">$\geq 6.9\%$ </tex-math></inline-formula> (<inline-formula> <tex-math notation="LaTeX">$\geq 3.5\%$ </tex-math></inline-formula>) in terms of robustness improvement. Relevant codes are available at <uri>https://github.com/wangren09/ASK</uri>.

[1]  Ren Wang,et al.  RAILS: A Robust Adversarial Immune-Inspired Learning System , 2020, IEEE Access.

[2]  Mike Lewis,et al.  Nearest Neighbor Machine Translation , 2020, ICLR.

[3]  Muhammad Umair Ahmed Khan,et al.  I-Vector Transformation Using K-Nearest Neighbors for Speaker Verification , 2020, ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[4]  Maya R. Gupta,et al.  Deep k-NN for Noisy Labels , 2020, ICML.

[5]  Geoffrey E. Hinton,et al.  A Simple Framework for Contrastive Learning of Visual Representations , 2020, ICML.

[6]  Huiling Chen,et al.  Predicting Green Consumption Behaviors of Students Using Efficient Firefly Grey Wolf-Assisted K-Nearest Neighbor Classifiers , 2020, IEEE Access.

[7]  Yuan He,et al.  AdvKnn: Adversarial Attacks On K-Nearest Neighbor Classifiers With Approximate Gradients , 2019, ArXiv.

[8]  Shay Moran,et al.  An adaptive nearest neighbor rule for classification , 2019, NeurIPS.

[9]  David A. Wagner,et al.  On the Robustness of Deep K-Nearest Neighbors , 2019, 2019 IEEE Security and Privacy Workshops (SPW).

[10]  Geoffrey E. Hinton,et al.  Analyzing and Improving Representations with the Soft Nearest Neighbor Loss , 2019, ICML.

[11]  Michael I. Jordan,et al.  Theoretically Principled Trade-off between Robustness and Accuracy , 2019, ICML.

[12]  W. Hager,et al.  and s , 2019, Shallow Water Hydraulics.

[13]  Weidong Min,et al.  A New Re-Ranking Method Based on Convolutional Neural Network and Two Image-to-Class Distances for Remote Sensing Image Retrieval , 2019, IEEE Access.

[14]  Stefan Roth,et al.  Neural Nearest Neighbors Networks , 2018, NeurIPS.

[15]  Jun Zhao Analyzing the Robustness of Deep Learning Against Adversarial Examples , 2018, 2018 56th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[16]  Oriol Vinyals,et al.  Representation Learning with Contrastive Predictive Coding , 2018, ArXiv.

[17]  Patrick D. McDaniel,et al.  Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning , 2018, ArXiv.

[18]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[19]  Somesh Jha,et al.  Analyzing the Robustness of Nearest Neighbors to Adversarial Examples , 2017, ICML.

[20]  Roland Vollgraf,et al.  Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms , 2017, ArXiv.

[21]  Han Wang,et al.  AcFR: Active Face Recognition Using Convolutional Neural Networks , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW).

[22]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[23]  Kihyuk Sohn,et al.  Improved Deep Metric Learning with Multi-class N-pair Loss Objective , 2016, NIPS.

[24]  Geoffrey E. Hinton,et al.  Deep Learning , 2015, Nature.

[25]  Din J. Wasem,et al.  Mining of Massive Datasets , 2014 .

[26]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[27]  Ben Upcroft,et al.  Advantages of exploiting projection structure for segmenting dense 3D point clouds , 2013, ICRA 2013.

[28]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[29]  Peter E. Hart,et al.  Nearest neighbor pattern classification , 1967, IEEE Trans. Inf. Theory.