Probabilistic Categorical Adversarial Attack and Adversarial Training

Han Xu, Pengfei He, Jie Ren, Yuxuan Wan, Zitao Liu, Hui Liu, Jiliang Tang
Proceedings of the 40th International Conference on Machine Learning, PMLR 202:38428-38442, 2023.

Abstract

The studies on adversarial attacks and defenses have greatly improved the robustness of Deep Neural Networks (DNNs). Most advanced approaches have been overwhelmingly designed for continuous data such as images. However, these achievements are still hard to be generalized to categorical data. To bridge this gap, we propose a novel framework, Probabilistic Categorical Adversarial Attack (or PCAA). It transfers the discrete optimization problem of finding categorical adversarial examples to a continuous problem that can be solved via gradient-based methods. We analyze the optimality (attack success rate) and time complexity of PCAA to demonstrate its significant advantage over current search-based attacks. More importantly, through extensive empirical studies, we demonstrate that the well-established defenses for continuous data, such as adversarial training and TRADES, can be easily accommodated to defend DNNs for categorical data.

Cite this Paper

BibTeX
@InProceedings{pmlr-v202-xu23e, title = {Probabilistic Categorical Adversarial Attack and Adversarial Training}, author = {Xu, Han and He, Pengfei and Ren, Jie and Wan, Yuxuan and Liu, Zitao and Liu, Hui and Tang, Jiliang}, booktitle = {Proceedings of the 40th International Conference on Machine Learning}, pages = {38428--38442}, year = {2023}, editor = {Krause, Andreas and Brunskill, Emma and Cho, Kyunghyun and Engelhardt, Barbara and Sabato, Sivan and Scarlett, Jonathan}, volume = {202}, series = {Proceedings of Machine Learning Research}, month = {23--29 Jul}, publisher = {PMLR}, pdf = {https://proceedings.mlr.press/v202/xu23e/xu23e.pdf}, url = {https://proceedings.mlr.press/v202/xu23e.html}, abstract = {The studies on adversarial attacks and defenses have greatly improved the robustness of Deep Neural Networks (DNNs). Most advanced approaches have been overwhelmingly designed for continuous data such as images. However, these achievements are still hard to be generalized to categorical data. To bridge this gap, we propose a novel framework, Probabilistic Categorical Adversarial Attack (or PCAA). It transfers the discrete optimization problem of finding categorical adversarial examples to a continuous problem that can be solved via gradient-based methods. We analyze the optimality (attack success rate) and time complexity of PCAA to demonstrate its significant advantage over current search-based attacks. More importantly, through extensive empirical studies, we demonstrate that the well-established defenses for continuous data, such as adversarial training and TRADES, can be easily accommodated to defend DNNs for categorical data.} }
Endnote
%0 Conference Paper %T Probabilistic Categorical Adversarial Attack and Adversarial Training %A Han Xu %A Pengfei He %A Jie Ren %A Yuxuan Wan %A Zitao Liu %A Hui Liu %A Jiliang Tang %B Proceedings of the 40th International Conference on Machine Learning %C Proceedings of Machine Learning Research %D 2023 %E Andreas Krause %E Emma Brunskill %E Kyunghyun Cho %E Barbara Engelhardt %E Sivan Sabato %E Jonathan Scarlett %F pmlr-v202-xu23e %I PMLR %P 38428--38442 %U https://proceedings.mlr.press/v202/xu23e.html %V 202 %X The studies on adversarial attacks and defenses have greatly improved the robustness of Deep Neural Networks (DNNs). Most advanced approaches have been overwhelmingly designed for continuous data such as images. However, these achievements are still hard to be generalized to categorical data. To bridge this gap, we propose a novel framework, Probabilistic Categorical Adversarial Attack (or PCAA). It transfers the discrete optimization problem of finding categorical adversarial examples to a continuous problem that can be solved via gradient-based methods. We analyze the optimality (attack success rate) and time complexity of PCAA to demonstrate its significant advantage over current search-based attacks. More importantly, through extensive empirical studies, we demonstrate that the well-established defenses for continuous data, such as adversarial training and TRADES, can be easily accommodated to defend DNNs for categorical data.
APA
Xu, H., He, P., Ren, J., Wan, Y., Liu, Z., Liu, H. & Tang, J.. (2023). Probabilistic Categorical Adversarial Attack and Adversarial Training. Proceedings of the 40th International Conference on Machine Learning, in Proceedings of Machine Learning Research 202:38428-38442 Available from https://proceedings.mlr.press/v202/xu23e.html.

Related Material