DataFreeShield: Defending Adversarial Attacks without Training Data

Hyeyoon Lee; Kanghyun Choi; Dain Kwon; Sunjong Park; Mayoore Selvarasa; Jaiswal; Noseong Park; Jonghyun Choi; Jinho Lee

arXiv:2406.15635·cs.LG·June 25, 2024·1 cites

DataFreeShield: Defending Adversarial Attacks without Training Data

Hyeyoon Lee, Kanghyun Choi, Dain Kwon, Sunjong Park, Mayoore Selvarasa, Jaiswal, Noseong Park, Jonghyun Choi, Jinho Lee

PDF

Open Access 3 Reviews

TL;DR

DataFreeShield introduces a novel approach to achieve adversarial robustness without access to original training data by generating surrogate datasets and training on them, addressing a critical privacy-preserving challenge.

Contribution

It is the first method to provide a fully data-free solution for adversarial robustness, combining surrogate data generation with adversarial training.

Findings

01

Outperforms baseline methods in robustness

02

Effective surrogate dataset generation without original data

03

First fully data-free adversarial robustness solution

Abstract

Recent advances in adversarial robustness rely on an abundant set of training data, where using external or additional datasets has become a common setting. However, in real life, the training data is often kept private for security and privacy issues, while only the pretrained weight is available to the public. In such scenarios, existing methods that assume accessibility to the original data become inapplicable. Thus we investigate the pivotal problem of data-free adversarial robustness, where we try to achieve adversarial robustness without accessing any real data. Through a preliminary study, we highlight the severity of the problem by showing that robustness without the original dataset is difficult to achieve, even with similar domain datasets. To address this issue, we propose DataFreeShield, which tackles the problem from two perspectives: surrogate dataset generation and…

Peer Reviews

Decision·ICML 2024 Poster

Reviewer 01Rating 5· marginally below the acceptance thresholdConfidence 4

Strengths

1. This paper explores a novel, realistic scenario-based approach to adversarial training. 2. The motivation of the entire framework is clear. 3. This paper is richly designed with experiments.

Weaknesses

1. Although this setup is interesting, we have doubts about its actual performance. Compared with the adversarial training model, the adversarial robustness obtained in Table 3 is very low and difficult to use in practice. Especially on CIFAR100, the robust accuracy of ResNet-20 under AA is only 5.97, and the clean accuracy is significantly lower than the normal model (60%+). 2. Please analyze the time complexity of the compared methods, which is important for practical applications. 3. How to

Reviewer 02Rating 3· reject, not good enoughConfidence 4

Strengths

1. Authors do a great job explaining their method, including qualitative results/visualizations wherever possible to convey important points regarding their method. For example, I particularly liked the usage of a toy example to demonstrate how using dynamic loss weights during synthesis process increases diversity of synthetic data. Overall, the writing quality and presentation is great. 2. In my opinion, the methods proposed by authors are simple, intuitive, and effective. These methods includ

Weaknesses

1. The explanation of the gradient refinement strategy seems rushed. The authors say that targeting a smoother loss landscape will make it more likely that there is alignment between minima achieved using real and synthetic data. Then, the authors describe the design of their gradient refinement strategy. There is no connection presented between the initial idea (smoother loss landscape) and the proposed method to implement/enforce said idea (gradient refinement). As a result, it is not clear ho

Reviewer 03Rating 5· marginally below the acceptance thresholdConfidence 4

Strengths

1. The paper is well-written and easy to follow. 2. The problem is very interesting, which enhances the model's robustness without the training data. It might be useful in some cases. 3. The authors have conducted extensive experiments to validate the effectiveness.

Weaknesses

1. It is not clear how you synthesize the samples. Especially, how can you adopt Eq (8) to generate the samples? 2. It is not clear why the authors can adopt synthetic data to improve the model robustness while the images from other domains cannot. In my opinion, the synthetic data is also from different domains. 3. Apart from adversarial training, there are also some defense techniques which does not need training data. For instance, random transforms the input data before feeding them into t

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Anomaly Detection Techniques and Applications

MethodsSparse Evolutionary Training