Enhancing Adversarial Robustness on Categorical Data via Attribution Smoothing

Yujun Zhou; Yufei Han; Hongyan Bao; Xiangliang Zhang

Enhancing Adversarial Robustness on Categorical Data via Attribution Smoothing

Yujun Zhou, Yufei Han, Hongyan Bao, Xiangliang Zhang

22 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: Adversarial Robustness, Categorical Data, Attribution Smoothing, Information Theory

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: Guided by the proposed theory, we enhance the adversarial robustness of categorical data by smoothing the sensitivity of each feature's attribution and the classifier's decision boundary.

Abstract: Many efforts have been contributed to alleviate the adversarial risk of deep neural networks on continuous inputs. Adversarial robustness on general categorical inputs, especially tabular categorical attributes, has received much less attention. To echo this challenge, our work aims to enhance the robustness of classification over categorical attributes against adversarial perturbations. We establish an information-theoretic upper bound on the expected adversarial risk. Based on it, we propose an adversarially robust learning method, named Integrated Gradient-Smoothed Gradient (IGSG)-based regularization. It is designed to smooth the attributional sensitivity of each feature and the decision boundary of the classifier to achieve lower adversarial risk, i.e., desensitizing the categorical attributes in the classifier. We conduct an extensive empirical study over categorical datasets of various application domains. The experimental results confirm the effectiveness of IGSG, which surpasses the state-of-the-art robust training methods by a margin of approximately 0.4\% to 12.2\% on average in terms of adversarial accuracy, especially on high-dimension datasets.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: pdf

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 4530

Loading