111 Hits in 1.3 sec

Benchmarking Adversarial Robustness [article]

Yinpeng Dong, Qi-An Fu, Xiao Yang, Tianyu Pang, Hang Su, Zihao Xiao, Jun Zhu
2019 arXiv   pre-print
In International Conference on Learning Representations (ICLR), 2019. 3 [11] Shuyu Cheng, Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu.  ...  In International Conference on Machine Learning (ICML), 2019. 3, 5, 13 [33] Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu.  ... 
arXiv:1912.11852v1 fatcat:aamzg5ajlnb27brph52rmd4era

Composite Binary Decomposition Networks [article]

You Qiaoben, Zheng Wang, Jianguo Li, Yinpeng Dong, Yu-Gang Jiang, Jun Zhu
2018 arXiv   pre-print
A novel training procedure named stochastic quantization (Dong et al. 2017 ) was introduced to narrow down such gaps. All these works belongs to the training-time optimization category in summary.  ... 
arXiv:1811.06668v1 fatcat:vdjklxuwrvey7ctmmkj6bexp7i

BadDet: Backdoor Attacks on Object Detection [article]

Shih-Han Chan, Yinpeng Dong, Jun Zhu, Xiaolu Zhang, Jun Zhou
2022 arXiv   pre-print
Deep learning models have been deployed in numerous real-world applications such as autonomous driving and surveillance. However, these models are vulnerable in adversarial environments. Backdoor attack is emerging as a severe security threat which injects a backdoor trigger into a small portion of training data such that the trained model behaves normally on benign inputs but gives incorrect predictions when the specific trigger appears. While most research in backdoor attacks focuses on image
more » ... classification, backdoor attacks on object detection have not been explored but are of equal importance. Object detection has been adopted as an important module in various security-sensitive applications such as autonomous driving. Therefore, backdoor attacks on object detection could pose severe threats to human lives and properties. We propose four kinds of backdoor attacks for object detection task: 1) Object Generation Attack: a trigger can falsely generate an object of the target class; 2) Regional Misclassification Attack: a trigger can change the prediction of a surrounding object to the target class; 3) Global Misclassification Attack: a single trigger can change the predictions of all objects in an image to the target class; and 4) Object Disappearance Attack: a trigger can make the detector fail to detect the object of the target class. We develop appropriate metrics to evaluate the four backdoor attacks on object detection. We perform experiments using two typical object detection models -- Faster-RCNN and YOLOv3 on different datasets. More crucially, we demonstrate that even fine-tuning on another benign dataset cannot remove the backdoor hidden in the object detection model. To defend against these backdoor attacks, we propose Detector Cleanse, an entropy-based run-time detection framework to identify poisoned testing samples for any deployed object detector.
arXiv:2205.14497v1 fatcat:alsft7qihbdobi4kpu6xmtq4vy

Towards Interpretable Deep Neural Networks by Leveraging Adversarial Examples [article]

Yinpeng Dong, Hang Su, Jun Zhu, Fan Bao
2017 arXiv   pre-print
Deep neural networks (DNNs) have demonstrated impressive performance on a wide array of tasks, but they are usually considered opaque since internal structure and learned parameters are not interpretable. In this paper, we re-examine the internal representations of DNNs using adversarial images, which are generated by an ensemble-optimization algorithm. We find that: (1) the neurons in DNNs do not truly detect semantic objects/parts, but respond to objects/parts only as recurrent discriminative
more » ... patches; (2) deep visual representations are not robust distributed codes of visual concepts because the representations of adversarial images are largely not consistent with those of real images, although they have similar visual appearance, both of which are different from previous findings. To further improve the interpretability of DNNs, we propose an adversarial training scheme with a consistent loss such that the neurons are endowed with human-interpretable concepts. The induced interpretable representations enable us to trace eventual outcomes back to influential neurons. Therefore, human users can know how the models make predictions, as well as when and why they make errors.
arXiv:1708.05493v1 fatcat:cutkg4sewngy3aldazj4sdr4my

Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks [article]

Yinpeng Dong, Tianyu Pang, Hang Su, Jun Zhu
2019 arXiv   pre-print
Deep neural networks are vulnerable to adversarial examples, which can mislead classifiers by adding imperceptible perturbations. An intriguing property of adversarial examples is their good transferability, making black-box attacks feasible in real-world applications. Due to the threat of adversarial attacks, many methods have been proposed to improve the robustness. Several state-of-the-art defenses are shown to be robust against transferable adversarial examples. In this paper, we propose a
more » ... ranslation-invariant attack method to generate more transferable adversarial examples against the defense models. By optimizing a perturbation over an ensemble of translated images, the generated adversarial example is less sensitive to the white-box model being attacked and has better transferability. To improve the efficiency of attacks, we further show that our method can be implemented by convolving the gradient at the untranslated image with a pre-defined kernel. Our method is generally applicable to any gradient-based attack method. Extensive experiments on the ImageNet dataset validate the effectiveness of the proposed method. Our best attack fools eight state-of-the-art defenses at an 82% success rate on average based only on the transferability, demonstrating the insecurity of the current defense techniques.
arXiv:1904.02884v1 fatcat:nmzv44su5zcvvcxspnmvsrg7ta

Towards Interpretable Deep Neural Networks by Leveraging Adversarial Examples [article]

Yinpeng Dong and Fan Bao and Hang Su and Jun Zhu
2019 arXiv   pre-print
Sometimes it is not enough for a DNN to produce an outcome. For example, in applications such as healthcare, users need to understand the rationale of the decisions. Therefore, it is imperative to develop algorithms to learn models with good interpretability (Doshi-Velez 2017). An important factor that leads to the lack of interpretability of DNNs is the ambiguity of neurons, where a neuron may fire for various unrelated concepts. This work aims to increase the interpretability of DNNs on the
more » ... ole image space by reducing the ambiguity of neurons. In this paper, we make the following contributions: 1) We propose a metric to evaluate the consistency level of neurons in a network quantitatively. 2) We find that the learned features of neurons are ambiguous by leveraging adversarial examples. 3) We propose to improve the consistency of neurons on adversarial example subset by an adversarial training algorithm with a consistent loss.
arXiv:1901.09035v1 fatcat:ujbjyvklsja5ngrmaktxdkpqnu

Kallima: A Clean-label Framework for Textual Backdoor Attacks [article]

Xiaoyi Chen, Yinpeng Dong, Zeyu Sun, Shengfang Zhai, Qingni Shen, Zhonghai Wu
2022 arXiv   pre-print
Although Deep Neural Network (DNN) has led to unprecedented progress in various natural language processing (NLP) tasks, research shows that deep models are extremely vulnerable to backdoor attacks. The existing backdoor attacks mainly inject a small number of poisoned samples into the training dataset with the labels changed to the target one. Such mislabeled samples would raise suspicion upon human inspection, potentially revealing the attack. To improve the stealthiness of textual backdoor
more » ... tacks, we propose the first clean-label framework Kallima for synthesizing mimesis-style backdoor samples to develop insidious textual backdoor attacks. We modify inputs belonging to the target class with adversarial perturbations, making the model rely more on the backdoor trigger. Our framework is compatible with most existing backdoor triggers. The experimental results on three benchmark datasets demonstrate the effectiveness of the proposed method.
arXiv:2206.01832v1 fatcat:bdmbcfnvonhjxnuwx2zhusutr4

Learning Visual Knowledge Memory Networks for Visual Question Answering [article]

Zhou Su, Chen Zhu, Yinpeng Dong, Dongqi Cai, Yurong Chen, Jianguo Li
2018 arXiv   pre-print
VQA re- * This work was done when Zhou Su worked at Intel Labs China, and Yinpeng Dong was intern at Intel Labs China.  ... 
arXiv:1806.04860v1 fatcat:iwjys34vfjdwjckig36gg5xqjq

Feature Engineering and Ensemble Modeling for Paper Acceptance Rank Prediction [article]

Yujie Qian, Yinpeng Dong, Ye Ma, Hailong Jin, Juanzi Li
2016 arXiv   pre-print
Measuring research impact and ranking academic achievement are important and challenging problems. Having an objective picture of research institution is particularly valuable for students, parents and funding agencies, and also attracts attention from government and industry. KDD Cup 2016 proposes the paper acceptance rank prediction task, in which the participants are asked to rank the importance of institutions based on predicting how many of their papers will be accepted at the 8 top
more » ... nces in computer science. In our work, we adopt a three-step feature engineering method, including basic features definition, finding similar conferences to enhance the feature set, and dimension reduction using PCA. We propose three ranking models and the ensemble methods for combining such models. Our experiment verifies the effectiveness of our approach. In KDD Cup 2016, we achieved the overall rank of the 2nd place.
arXiv:1611.04369v1 fatcat:5s4qybjzdza7fam74xuid4x5ui

Exploring Memorization in Adversarial Training [article]

Yinpeng Dong, Ke Xu, Xiao Yang, Tianyu Pang, Zhijie Deng, Hang Su, Jun Zhu
2022 arXiv   pre-print
., 2019; 2020; Dong et al., 2020a) .  ...  ., 2018; Dong et al., 2020b) , in which the network is trained on the adversarially augmented samples instead of the natural ones .  ... 
arXiv:2106.01606v2 fatcat:gb22ve35m5fhhpggc4lmp2tqx4

Boosting Adversarial Training with Hypersphere Embedding [article]

Tianyu Pang, Xiao Yang, Yinpeng Dong, Kun Xu, Hang Su, Jun Zhu
2020 arXiv   pre-print
The descriptions below mainly adopt from Dong et al. [16] .  ... 
arXiv:2002.08619v2 fatcat:d6qloqbjzvaojozkyyp5g7s6we

Model-Agnostic Meta-Attack: Towards Reliable Evaluation of Adversarial Robustness [article]

Xiao Yang, Yinpeng Dong, Wenzhao Xiang, Tianyu Pang, Hang Su, Jun Zhu
2021 arXiv   pre-print
., 2018; Wong & Kolter, 2018; Dong et al., 2020a; Pang et al., 2020) .  ...  ., 2019; Croce & Hein, 2020b; Dong et al., 2020b; Tramer et al., 2020) , making it particularly challenging to understand their effects and identify the actual progress of the field.  ... 
arXiv:2110.08256v1 fatcat:7rlig67wznbzfi66r7ca5xbmyi

Learning Accurate Low-Bit Deep Neural Networks with Stochastic Quantization [article]

Yinpeng Dong, Renkun Ni, Jianguo Li, Yurong Chen, Jun Zhu, Hang Su
2017 arXiv   pre-print
Low-bit deep neural networks (DNNs) become critical for embedded applications due to their low storage requirement and computing efficiency. However, they suffer much from the non-negligible accuracy drop. This paper proposes the stochastic quantization (SQ) algorithm for learning accurate low-bit DNNs. The motivation is due to the following observation. Existing training algorithms approximate the real-valued elements/filters with low-bit representation all together in each iteration. The
more » ... ization errors may be small for some elements/filters, while are remarkable for others, which lead to inappropriate gradient direction during training, and thus bring notable accuracy drop. Instead, SQ quantizes a portion of elements/filters to low-bit with a stochastic probability inversely proportional to the quantization error, while keeping the other portion unchanged with full-precision. The quantized and full-precision portions are updated with corresponding gradients separately in each iteration. The SQ ratio is gradually increased until the whole network is quantized. This procedure can greatly compensate the quantization error and thus yield better accuracy for low-bit DNNs. Experiments show that SQ can consistently and significantly improve the accuracy for different low-bit DNNs on various datasets and various network structures.
arXiv:1708.01001v1 fatcat:wqymsfctbrefhejwk7feceiz7a

Error-Silenced Quantization: Bridging Robustness and Compactness

Zhicong Tang, Yinpeng Dong, Hang Su
2020 International Joint Conference on Artificial Intelligence  
As deep neural networks (DNNs) advance rapidly, quantization has become a widely used standard for deployments on resource-limited hardware. However, DNNs are well accepted vulnerable to adversarial attacks, and quantization is found to further weaken the robustness. Adversarial training is proved a feasible defense but depends on a larger network capacity, which contradicts with quantization. Thus in this work, we propose a novel method of Error-silenced Quantization that relaxes the
more » ... t and achieves both robustness and compactness. We first observe the Error Amplification Effect, i.e., small perturbations on adversarial samples being amplified through layers, then a pairing is designed to directly silence the error. Comprehensive experimental results on CIFAR-10 and CIFAR-100 prove that our method fixes the robustness drop against alternative threat models and even outperforms full-precision models. Finally, we study different pairing schemes and secure our method from the obfuscated gradient problem that undermines many previous defenses.
dblp:conf/ijcai/TangD020 fatcat:eg4wydgqgbgo7kifdewwlfzyd4

Understanding and Exploring the Network with Stochastic Architectures

Zhijie Deng, Yinpeng Dong, Shifeng Zhang, Jun Zhu
2020 Neural Information Processing Systems  
There is an emerging trend to train a network with stochastic architectures to enable various architectures to be plugged and played during inference. However, the existing investigation is highly entangled with neural architecture search (NAS), limiting its widespread use across scenarios. In this work, we decouple the training of a network with stochastic architectures (NSA) from NAS and provide a first systematical investigation on it as a stand-alone problem. We first uncover the
more » ... tics of NSA in various aspects ranging from training stability, convergence, predictive behaviour, to generalization capacity to unseen architectures. We identify various issues of the vanilla NSA, such as training/test disparity and function mode collapse, and further propose the solutions to these issues with theoretical and empirical insights. We believe that these results could also serve as good heuristics for NAS. Given these understandings, we further apply the NSA with our improvements into diverse scenarios to fully exploit its promise of inference-time architecture stochasticity, including model ensemble, uncertainty estimation and semi-supervised learning. Remarkable performance (e.g., 2.75% error rate and 0.0032 expected calibration error on CIFAR-10) validate the effectiveness of such a model, providing new perspectives of exploring the potential of the network with stochastic architectures, beyond NAS.
dblp:conf/nips/DengDZ020 fatcat:rf2pdtyqzvdb5brj4dbs7hy5ny
« Previous Showing results 1 — 15 out of 111 results