Robustness of Sketched Linear Classifiers to Adversarial Attacks

Ananth Mahadevan; Arpit Merchant; Yanhao Wang; Michael Mathioudakis

doi:10.1145/3511808.3557687

Robustness of Sketched Linear Classifiers to Adversarial Attacks

Ananth Mahadevan, Arpit Merchant, Yanhao Wang, Michael Mathioudakis

Forskningsoutput: Kapitel i bok/rapport/konferenshandling › Konferensbidrag › Vetenskaplig › Peer review

Sammanfattning

Linear classifiers are well-known to be vulnerable to adversarial attacks: they may predict incorrect labels for input data that are adversarially modified with small perturbations. However, this phenomenon has not been properly understood in the context of sketch-based linear classifiers, typically used in memory-constrained paradigms, which rely on random projections of the features for model compression. In this paper, we propose novel Fast-Gradient-Sign Method (FGSM) attacks for sketched classifiers in full, partial, and black-box information settings with regards to their internal parameters. We perform extensive experiments on the MNIST dataset to characterize their robustness as a function of perturbation budget. Our results suggest that, in the full-information setting, these classifiers are less accurate on unaltered input than their uncompressed counterparts but just as susceptible to adversarial attacks. But in more realistic partial and black-box information settings, sketching improves robustness while having lower memory footprint.

Originalspråk	engelska
Titel på värdpublikation	International Conference on Information and Knowledge Management (CIKM)
Antal sidor	5
Förlag	Association for Computing Machinery
Utgivningsdatum	okt. 2022
Sidor	4319-4323
ISBN (elektroniskt)	978-1-4503-9236-5
DOI	https://doi.org/10.1145/3511808.3557687
Status	Publicerad - okt. 2022
MoE-publikationstyp	A4 Artikel i en konferenspublikation
Evenemang	International Conference on Information and Knowledge Management - Atlanta, Förenta Staterna (USA) Varaktighet: 17 okt. 2022 → 21 okt. 2022 Konferensnummer: 31

Vetenskapsgrenar

113 Data- och informationsvetenskap

Åtkomst av dokument

10.1145/3511808.3557687Licens: CC BY-NC

3511808.3557687Slutlig publicerad version, 1,63 MBLicens: CC BY-NC

Machine Learning Management Systems
Mahadevan, A. (Deltagare) & Mathioudakis, M. (Projektledare)
01/01/2020 → 31/12/2023
Projekt: Universitetens basfinansiering
MLDB: Model Management Systems: Machine learning meets Database Systems
Mathioudakis, M. (Projektledare), Gionis, A. (Co-Principal Investigator), Mahadevan, A. (deltagare), Merchant, A. (deltagare) & Pai, S. G. (deltagare)
Suomen Akatemia Projektilaskutus
01/09/2019 → 31/12/2023
Projekt: Finlands Akademi: Akademiprojektsbidrag

Citera det här

@inproceedings{2423b1060a614a47abadd056c6822c5e,

title = "Robustness of Sketched Linear Classifiers to Adversarial Attacks",

abstract = "Linear classifiers are well-known to be vulnerable to adversarial attacks: they may predict incorrect labels for input data that are adversarially modified with small perturbations. However, this phenomenon has not been properly understood in the context of sketch-based linear classifiers, typically used in memory-constrained paradigms, which rely on random projections of the features for model compression. In this paper, we propose novel Fast-Gradient-Sign Method (FGSM) attacks for sketched classifiers in full, partial, and black-box information settings with regards to their internal parameters. We perform extensive experiments on the MNIST dataset to characterize their robustness as a function of perturbation budget. Our results suggest that, in the full-information setting, these classifiers are less accurate on unaltered input than their uncompressed counterparts but just as susceptible to adversarial attacks. But in more realistic partial and black-box information settings, sketching improves robustness while having lower memory footprint.",

keywords = "113 Computer and information sciences",

author = "Ananth Mahadevan and Arpit Merchant and Yanhao Wang and Michael Mathioudakis",

year = "2022",

month = oct,

doi = "10.1145/3511808.3557687",

language = "English",

pages = "4319--4323",

booktitle = "International Conference on Information and Knowledge Management (CIKM)",

publisher = "Association for Computing Machinery",

address = "United States",

note = "International Conference on Information and Knowledge Management , CIKM ; Conference date: 17-10-2022 Through 21-10-2022",

}

Mahadevan, A , Merchant, A, Wang, Y & Mathioudakis, M 2022, Robustness of Sketched Linear Classifiers to Adversarial Attacks. i International Conference on Information and Knowledge Management (CIKM). Association for Computing Machinery, s. 4319-4323, International Conference on Information and Knowledge Management , Atlanta, Förenta Staterna (USA), 17/10/2022. https://doi.org/10.1145/3511808.3557687

TY - GEN

T1 - Robustness of Sketched Linear Classifiers to Adversarial Attacks

AU - Mahadevan, Ananth

AU - Merchant, Arpit

AU - Wang, Yanhao

AU - Mathioudakis, Michael

N1 - Conference code: 31

PY - 2022/10

Y1 - 2022/10

N2 - Linear classifiers are well-known to be vulnerable to adversarial attacks: they may predict incorrect labels for input data that are adversarially modified with small perturbations. However, this phenomenon has not been properly understood in the context of sketch-based linear classifiers, typically used in memory-constrained paradigms, which rely on random projections of the features for model compression. In this paper, we propose novel Fast-Gradient-Sign Method (FGSM) attacks for sketched classifiers in full, partial, and black-box information settings with regards to their internal parameters. We perform extensive experiments on the MNIST dataset to characterize their robustness as a function of perturbation budget. Our results suggest that, in the full-information setting, these classifiers are less accurate on unaltered input than their uncompressed counterparts but just as susceptible to adversarial attacks. But in more realistic partial and black-box information settings, sketching improves robustness while having lower memory footprint.

AB - Linear classifiers are well-known to be vulnerable to adversarial attacks: they may predict incorrect labels for input data that are adversarially modified with small perturbations. However, this phenomenon has not been properly understood in the context of sketch-based linear classifiers, typically used in memory-constrained paradigms, which rely on random projections of the features for model compression. In this paper, we propose novel Fast-Gradient-Sign Method (FGSM) attacks for sketched classifiers in full, partial, and black-box information settings with regards to their internal parameters. We perform extensive experiments on the MNIST dataset to characterize their robustness as a function of perturbation budget. Our results suggest that, in the full-information setting, these classifiers are less accurate on unaltered input than their uncompressed counterparts but just as susceptible to adversarial attacks. But in more realistic partial and black-box information settings, sketching improves robustness while having lower memory footprint.

KW - 113 Computer and information sciences

U2 - 10.1145/3511808.3557687

DO - 10.1145/3511808.3557687

M3 - Conference contribution

SP - 4319

EP - 4323

BT - International Conference on Information and Knowledge Management (CIKM)

PB - Association for Computing Machinery

T2 - International Conference on Information and Knowledge Management

Y2 - 17 October 2022 through 21 October 2022

ER -

Robustness of Sketched Linear Classifiers to Adversarial Attacks

Sammanfattning

Vetenskapsgrenar

Åtkomst av dokument

Projekt

Machine Learning Management Systems

MLDB: Model Management Systems: Machine learning meets Database Systems

Citera det här