10. Defenses against AE
● Methods
○ Adversarial Training
○ Detection
○ Defensive Distillation
● Goals
○ Low impact on the model architecture
○ Maintain model speed
○ Maintain accuracy
○ Defense should be targeted
11. Related Work
● Adversarial Attack
○ Intriguing properties of neural networks(2013)
○ Universal adversarial perturbations(2016)
○ One pixel attack for fooling deep neural networks(2017)
● Defense against adversarial attacks
○ Ensemble adversarial training: Attacks and defenses(2018)
● Graph Convolutional Network
○ Graph attention networks(2017)
12. Overview
● Use non-local forward propagation
○ GCN(Graph Convolutional Network)
● Results
○ higher robustness(up to x3) to adversarial attacks
■ minor accuracy drop
○ strong regularization effect
■ Peer Regularization
24. Randomized approximation
● Problem: Search NN accross all the available samples
○ not feasible due to memory and computation limitations
● Solution: Use a Monte Carlo approximation
○ In order to limit the computational overhead,
■ M = 1 is used during training,
■ whereas larger values of M are used during inference
26. Training & Inference
● Training
○ All the images of the current batch are peers
○ Select K-nearest neighboars with cosine distance
■ K=10
○ Dropout
■ 0.2 on the all-pairs distance
■ 0.5 on the attention weights
● Inference
■ N fixed peer images
● N=50 on MNIST, CIFAR-10
● N-500 on CIFAR-100
■ Monte Carlo sampling over M forward passes
27. Experiments
● Benchmarks
○ MNIST w/ LeNet5
○ CIFAR-10 w/ ResNet-32
○ CIFAR-100 w/ ResNet-100
● Attacks
○ Whitebox: gradient based, fast-gradient sign method, universal adversarial pertubation
● Metrics
○ fooling rate: ratio of images for which the network predicts a different label as the result of the
perturbation
● Hyperparameters
○ K = 10 for all the experiments