TL;DR
This paper introduces a novel hardware-inspired defense mechanism against adversarial attacks using optical co-processors with nonlinear random transformations, enhancing robustness without sacrificing natural accuracy in various attack settings.
Contribution
The paper presents a new defense approach leveraging optical analog computing and synthetic gradients, which is resistant to obfuscated gradient attacks and improves robustness against black-box and transfer attacks.
Findings
Effective against white-box and black-box attacks
Maintains high natural accuracy on CIFAR datasets
Enhances robustness with optical random projections and binarization
Abstract
We propose a new defense mechanism against adversarial attacks inspired by an optical co-processor, providing robustness without compromising natural accuracy in both white-box and black-box settings. This hardware co-processor performs a nonlinear fixed random transformation, where the parameters are unknown and impossible to retrieve with sufficient precision for large enough dimensions. In the white-box setting, our defense works by obfuscating the parameters of the random projection. Unlike other defenses relying on obfuscated gradients, we find we are unable to build a reliable backward differentiable approximation for obfuscated parameters. Moreover, while our model reaches a good natural accuracy with a hybrid backpropagation - synthetic gradient method, the same approach is suboptimal if employed to generate adversarial examples. We find the combination of a random projection…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
