DataFreeShield: Defending Adversarial Attacks without Training Data

Hyeyoon Lee; Kanghyun Choi; Dain Kwon; SunJong Park; Mayoore Selvarasa Jaiswal; Noseong Park; Jonghyun Choi; Jinho Lee

DataFreeShield: Defending Adversarial Attacks without Training Data

Hyeyoon Lee, Kanghyun Choi, Dain Kwon, SunJong Park, Mayoore Selvarasa Jaiswal, Noseong Park, Jonghyun Choi, Jinho Lee

21 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Keywords: Data-free, Adversarial Robustness, Adversarial Training

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

TL;DR: A completely data-free approach to achieving adversarial robustness

Abstract: Recent advances in adversarial robustness rely on an abundant set of training data, where using external or additional datasets has become a common setting. However, due to security and privacy issues, it is more common that a pretrained model is available while the dataset is not. In such a scenario, existing methods that assume accessibility to the original data become inapplicable. For the first time, we propose a problem of learning *data-free adversarial robustness*, where given only a pretrained model, adversarial robustness should be achieved without accessing the training dataset. In our preliminary study, we identify that robustness without the original dataset is difficult to achieve, even with similar domain datasets. We tackle the task from two perspectives: surrogate dataset generation and adversarial training using the generated data. For dataset generation, we propose diversified sample synthesis, which largely enhances the diversity of synthetic samples that are known to have low coverage. For training, we propose a soft label loss that best learns robustness from noisy synthetic samples and a gradient refinement method toward smoother loss surface. Extensively validating methods using four datasets, we show that the proposed solution outperforms several baselines, demonstrating that the proposed method sets the first solution for the data-free robustness problem.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

Supplementary Material: zip

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 3160

Loading