ROPUST: Improving Robustness through Fine-tuning with Photonic Processors and Synthetic Gradients

Robustness to adversarial attacks is typically obtained through expensive adversarial training with Projected Gradient Descent. Here we introduce ROPUST, a remarkably simple and efficient method to leverage robust pre-trained models and further increase their robustness, at no cost in natural accuracy. Our technique relies on the use of an Optical Processing Unit (OPU), a photonic co-processor, and a fine-tuning step performed with Direct Feedback Alignment, a synthetic gradient training scheme. We test our method on nine different models against four attacks in RobustBench, consistently improving over state-of-the-art performance. We perform an ablation study on the single components of our defense, showing that robustness arises from parameter obfuscation and the alternative training method. We also introduce phase retrieval attacks, specifically designed to increase the threat level of attackers against our own defense. We show that even with state-of-the-art phase retrieval techniques, ROPUST remains an effective defense.

[1]  The dynamics of learning with feedback alignment , 2020, ArXiv.

[2]  J. Zico Kolter,et al.  Fast is better than free: Revisiting adversarial training , 2020, ICLR.

[3]  Matthias Hein,et al.  Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks , 2020, ICML.

[4]  Jinfeng Yi,et al.  ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models , 2017, AISec@CCS.

[5]  Ruitong Huang,et al.  Max-Margin Adversarial (MMA) Training: Direct Input Space Margin Maximization through Adversarial Training , 2018, ICLR.

[6]  Morgane Goibert,et al.  Adversarial Robustness via Adversarial Label-Smoothing , 2019, ArXiv.

[7]  Laurent Daudet,et al.  Fast Optical System Identification by Numerical Interferometry , 2020, ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[8]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[9]  F. Krzakala,et al.  Direct Feedback Alignment Scales to Modern Deep Learning Tasks and Architectures , 2020, NeurIPS.

[10]  David Jacobs,et al.  Adversarially robust transfer learning , 2020, ICLR.

[11]  Hyun Oh Song,et al.  Parsimonious Black-Box Adversarial Attacks via Efficient Combinatorial Optimization , 2019, ICML.

[12]  Ilya P. Razenshteyn,et al.  Adversarial examples from computational constraints , 2018, ICML.

[13]  Kimin Lee,et al.  Using Pre-Training Can Improve Model Robustness and Uncertainty , 2019, ICML.

[14]  Ludwig Schmidt,et al.  Unlabeled Data Improves Adversarial Robustness , 2019, NeurIPS.

[15]  Nicolas Flammarion,et al.  Square Attack: a query-efficient black-box adversarial attack via random search , 2020, ECCV.

[16]  Daniel Cownden,et al.  Random feedback weights support learning in deep neural networks , 2014, ArXiv.

[17]  Aleksander Madry,et al.  Prior Convictions: Black-Box Adversarial Attacks with Bandits and Priors , 2018, ICLR.

[18]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[19]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[20]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[21]  Matthias Hein,et al.  Minimally distorted Adversarial Examples with a Fast Adaptive Boundary Attack , 2019, ICML.

[22]  Mohammad Javad Shafiee,et al.  A Simple Fine-tuning Is All You Need: Towards Robust Deep Learning Via Adversarial Fine-tuning , 2020, ArXiv.

[23]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Hisashi Kashima,et al.  Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family , 2019, ArXiv.

[25]  J. Zico Kolter,et al.  Scaling provable adversarial defenses , 2018, NeurIPS.

[26]  Patrick D. McDaniel,et al.  Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples , 2016, ArXiv.

[27]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[28]  Prateek Mittal,et al.  Improving Adversarial Robustness Using Proxy Distributions , 2021, ArXiv.

[29]  Timothy A. Mann,et al.  Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples , 2020, ArXiv.

[30]  Ruben Ohana,et al.  Adversarial Robustness by Design through Analog Computing and Synthetic Gradients , 2021, ArXiv.

[31]  Rafael Pinot,et al.  Advocating for Multiple Defense Strategies against Adversarial Examples , 2020, PKDD/ECML Workshops.

[32]  Yisen Wang,et al.  Adversarial Weight Perturbation Helps Robust Generalization , 2020, NeurIPS.

[33]  Prateek Mittal,et al.  RobustBench: a standardized adversarial robustness benchmark , 2020, ArXiv.

[34]  Suman Jana,et al.  Certified Robustness to Adversarial Examples with Differential Privacy , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[35]  Ashish Kapoor,et al.  Do Adversarially Robust ImageNet Models Transfer Better? , 2020, NeurIPS.

[36]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[37]  Jian Sun,et al.  Identity Mappings in Deep Residual Networks , 2016, ECCV.

[38]  Sara Hooker,et al.  The hardware lottery , 2020, Commun. ACM.

[39]  J. Zico Kolter,et al.  Certified Adversarial Robustness via Randomized Smoothing , 2019, ICML.

[40]  Logan Engstrom,et al.  Black-box Adversarial Attacks with Limited Queries and Information , 2018, ICML.

[41]  Mohamed Akrout On the Adversarial Robustness of Neural Networks without Weight Transport , 2019, ArXiv.

[42]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[43]  J. Zico Kolter,et al.  Provable defenses against adversarial examples via the convex outer adversarial polytope , 2017, ICML.

[44]  Gang Niu,et al.  Geometry-aware Instance-reweighted Adversarial Training , 2021, ICLR.

[45]  Dan Boneh,et al.  Adversarial Training and Robustness for Multiple Perturbations , 2019, NeurIPS.

[46]  Olivier Teytaud,et al.  Yet another but more efficient black-box adversarial attack: tiling and evolution strategies , 2019, ArXiv.

[47]  Kaushik Roy,et al.  Robustness Hidden in Plain Sight: Can Analog Computing Defend Against Adversarial Attacks? , 2020, ArXiv.

[48]  Jonathan Dong,et al.  Kernel Computations from Large-Scale Random Features Obtained by Optical Processing Units , 2020, ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[49]  Rémi Gribonval,et al.  Don't take it lightly: Phasing optical random projections with unknown operators , 2019, NeurIPS.

[50]  Arild Nøkland,et al.  Direct Feedback Alignment Provides Learning in Deep Neural Networks , 2016, NIPS.