TY - GEN
T1 - Robustness Against Gradient based Attacks through Cost Effective Network Fine-Tuning
AU - Agarwal, Akshay
AU - Ratha, Nalini
AU - Singh, Richa
AU - Vatsa, Mayank
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Adversarial perturbations aim to modify the image pixels in an imperceptible manner such that the CNN classifier misclassifies an image, whereas humans can predict the original class. Several defense algorithms against adversarial attacks are proposed in the literature, such as binary classification which aims to detect adversarial examples, and network retraining using perturbed images. The challenge with the adversarial detection approach is that once the perturbed samples are detected, they are discarded, and the system requires fresh input. On the other hand, adversarial training requires the generation of adversarial images for data augmentation and hence is computationally demanding. It is well known that training a deep CNN architecture is resource-intensive, and therefore retraining again from scratch is not feasible in resource-constrained scenarios. We propose computationally efficient fine-tuning of pre-trained networks to increase their robustness against the prevalent gradient-based attacks. The proposed finetuning is performed in a complete black-box fashion, where we do not know the training setting such as optimizer, batch size, and learning rate used in the training of the network. Extensive experiments using multiple CNN architectures such as VGG and ResNet show that the proposed fine-tuning provides significant robustness against various widespread gradient attacks.
AB - Adversarial perturbations aim to modify the image pixels in an imperceptible manner such that the CNN classifier misclassifies an image, whereas humans can predict the original class. Several defense algorithms against adversarial attacks are proposed in the literature, such as binary classification which aims to detect adversarial examples, and network retraining using perturbed images. The challenge with the adversarial detection approach is that once the perturbed samples are detected, they are discarded, and the system requires fresh input. On the other hand, adversarial training requires the generation of adversarial images for data augmentation and hence is computationally demanding. It is well known that training a deep CNN architecture is resource-intensive, and therefore retraining again from scratch is not feasible in resource-constrained scenarios. We propose computationally efficient fine-tuning of pre-trained networks to increase their robustness against the prevalent gradient-based attacks. The proposed finetuning is performed in a complete black-box fashion, where we do not know the training setting such as optimizer, batch size, and learning rate used in the training of the network. Extensive experiments using multiple CNN architectures such as VGG and ResNet show that the proposed fine-tuning provides significant robustness against various widespread gradient attacks.
UR - https://www.scopus.com/pages/publications/85170822538
U2 - 10.1109/CVPRW59228.2023.00008
DO - 10.1109/CVPRW59228.2023.00008
M3 - Conference contribution
AN - SCOPUS:85170822538
T3 - IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops
SP - 28
EP - 37
BT - Proceedings - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, CVPRW 2023
PB - IEEE Computer Society
T2 - 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, CVPRW 2023
Y2 - 18 June 2023 through 22 June 2023
ER -