Papers

Deep vision models are successfully employed in many applications. However, recent studies have shown that they are vulnerable to adversarial sample attacks. Existing adversarial defense methods are either limited to specific types of attacks or are too complex to be applied to practical vision models. More importantly, these methods rely on techniques that are not interpretable to humans. In this work, we argue that an effective defense method should produce the decision that explains why the system is attacked with a representation that is easily readable by a human user, e.g. a logic formalism. To this end, we propose logic adversarial defense (LogicDef), a defense framework that utilizes the scene graph of the image to provide a contextual structure for detecting and explaining object misclassification. Our framework first mines inductive logic rules from the graph that predict the objects, and then uses these rules to construct a defense model that alerts the users when the vision model violates the rules. The defense model is interpretable and its robustness can be further enhanced by incorporating commonsense knowledge from ConceptNet. Moreover, we propose a curriculum learning of the defense model based on object taxonomy which yields additional improvements in performance.

poster session 4 @ red 2, poster session 11 @ red 2, oral session 4 @ red 2, poster session 4, poster session 11, oral session 4

Deep neural networks are vulnerable to input deformations in the form of vector fields of pixel displacements and to other parameterized geometric deformations \eg translations, rotations, etc. Current input deformation certification methods either (\textbf{i}) do not scale to deep networks on large input datasets, or (\textbf{ii}) can only certify a specific class of deformations, \eg only rotations. We reformulate certification in randomized smoothing setting for both general vector field and parameterized deformations and propose \textsc{DeformRS-VF} and \textsc{DeformRS-Par}, respectively. Our new formulation scales to large networks on large input datasets. For instance, \textsc{DeformRS-Par} certifies rich deformations, covering translations, rotations, scaling, affine deformations, and other visually aligned deformations such as ones parameterized by Discrete-Cosine-Transform basis. Extensive experiments on MNIST, CIFAR10, and ImageNet show competitive performance of \textsc{DeformRS-Par} achieving a certified accuracy of $39\%$ against perturbed rotations in the set $[-10\degree,10\degree]$ on ImageNet.

poster session 4 @ red 2, poster session 11 @ red 2, oral session 4 @ red 2, poster session 4, poster session 11, oral session 4

We report a new neural backdoor attack, named Hibernated Backdoor, which is stealthy, aggressive and devastating. The backdoor is planted in a hibernated mode to avoid being detected. Once deployed and fine-tuned on end-devices, the hibernated backdoor turns into the active state that can be exploited by the attacker. To the best of our knowledge, this is the first hibernated neural backdoor attack. It is achieved by maximizing the mutual information (MI) between the gradients of regular and malicious data on the model. We introduce a practical algorithm to achieve MI maximization to effectively plant the hibernated backdoor. To evade adaptive defenses, we further develop a targeted hibernated backdoor, which can only be activated by specific data samples and thus achieves a higher degree of stealthiness. We show the hibernated backdoor is robust and cannot be removed by existing backdoor removal schemes. It has been fully tested on four datasets with two neural network architectures, compared to five existing backdoor attacks, and evaluated using seven backdoor detection schemes. The experiments demonstrate the effectiveness of the hibernated backdoor attack under various settings.

poster session 4 @ red 2, poster session 11 @ red 2, oral session 4 @ red 2, poster session 4, poster session 11, oral session 4