Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks

Itai Dror; Raz Birman; Aviram Lachmani; David Shmailov; Ofer Hadar

doi:10.1117/12.2638358

Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks

Itai Dror, Raz Birman, Aviram Lachmani, David Shmailov, Ofer Hadar

School of Sustainability and Climate Change

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Image classification tasks leverage CNN to yield accurate results that supersede their predecessor human-crafted algorithms. Applicable use cases include Autonomous, Face, Medical Imaging, and more. Along with the growing use of AI image classification applications, we see emerging research on the robustness of such models to adversarial attacks, which take advantage of the unique vulnerabilities of the Artificial Intelligence (AI) models to skew their classification results. While not visible to the Human Visual System (HVS), these attacks mislead the algorithms and yield wrong classification results. To be incorporated securely enough in real-world applications, AI-based image classification algorithms require protection that will increase their robustness to adversarial attacks. We propose replacing the commonly used Rectifier Linear Unit (ReLU) Activation Function (AF), which is piecewise linear, with non-linear AF to increase their robustness to adversarial attacks. This approach has been considered in recent research and is motivated by the observation that non-linear AF tends to diminish the effect of adversarial perturbations in the DNN layers. To gain credibility of the approach, we have applied Fast Sign Gradient Method (FGSM), and Hop-Skip-Jump (HSJ) attacks to a trained classification model of the MNIST dataset. We then replaced the AF of the model with non-linear AF (Sigmoid, GeLU, ELU, SeLU, and Tanh). We concluded that while attacks on the original model have a 100% success rate, the attack success rate is dropped by an average of 10% when non-linear AF is used.

Original language	American English
Title of host publication	Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI
Editors	Henri Bouma, Radhakrishna Prabhu, Robert J. Stokes, Yitzhak Yitzhaky
Publisher	SPIE
ISBN (Electronic)	9781510655539
DOIs	https://doi.org/10.1117/12.2638358
State	Published - 1 Jan 2022
Event	Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI 2022 - Berlin, Germany Duration: 5 Sep 2022 → 6 Sep 2022

Publication series

Name	Proceedings of SPIE - The International Society for Optical Engineering
Volume	12275

Conference

Conference	Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI 2022
Country/Territory	Germany
City	Berlin
Period	5/09/22 → 6/09/22

Keywords

Activation Functions
Adversarial Attacks
Boundary Attack
Deep Learning
HopSkipJump Attack

All Science Journal Classification (ASJC) codes

Electronic, Optical and Magnetic Materials
Condensed Matter Physics
Computer Science Applications
Applied Mathematics
Electrical and Electronic Engineering

Access to Document

10.1117/12.2638358

Cite this

Dror, I., Birman, R., Lachmani, A., Shmailov, D., & Hadar, O. (2022). Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks. In H. Bouma, R. Prabhu, R. J. Stokes, & Y. Yitzhaky (Eds.), Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI Article 122750I (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 12275). SPIE. https://doi.org/10.1117/12.2638358

Dror, Itai ; Birman, Raz ; Lachmani, Aviram et al. / Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks. Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI. editor / Henri Bouma ; Radhakrishna Prabhu ; Robert J. Stokes ; Yitzhak Yitzhaky. SPIE, 2022. (Proceedings of SPIE - The International Society for Optical Engineering).

@inproceedings{4fd3dcca90a2476da2fa233f26b302de,

title = "Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks",

abstract = "Image classification tasks leverage CNN to yield accurate results that supersede their predecessor human-crafted algorithms. Applicable use cases include Autonomous, Face, Medical Imaging, and more. Along with the growing use of AI image classification applications, we see emerging research on the robustness of such models to adversarial attacks, which take advantage of the unique vulnerabilities of the Artificial Intelligence (AI) models to skew their classification results. While not visible to the Human Visual System (HVS), these attacks mislead the algorithms and yield wrong classification results. To be incorporated securely enough in real-world applications, AI-based image classification algorithms require protection that will increase their robustness to adversarial attacks. We propose replacing the commonly used Rectifier Linear Unit (ReLU) Activation Function (AF), which is piecewise linear, with non-linear AF to increase their robustness to adversarial attacks. This approach has been considered in recent research and is motivated by the observation that non-linear AF tends to diminish the effect of adversarial perturbations in the DNN layers. To gain credibility of the approach, we have applied Fast Sign Gradient Method (FGSM), and Hop-Skip-Jump (HSJ) attacks to a trained classification model of the MNIST dataset. We then replaced the AF of the model with non-linear AF (Sigmoid, GeLU, ELU, SeLU, and Tanh). We concluded that while attacks on the original model have a 100% success rate, the attack success rate is dropped by an average of 10% when non-linear AF is used.",

keywords = "Activation Functions, Adversarial Attacks, Boundary Attack, Deep Learning, HopSkipJump Attack",

author = "Itai Dror and Raz Birman and Aviram Lachmani and David Shmailov and Ofer Hadar",

note = "Publisher Copyright: {\textcopyright} 2022 SPIE.; Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI 2022 ; Conference date: 05-09-2022 Through 06-09-2022",

year = "2022",

month = jan,

day = "1",

doi = "10.1117/12.2638358",

language = "American English",

series = "Proceedings of SPIE - The International Society for Optical Engineering",

publisher = "SPIE",

editor = "Henri Bouma and Radhakrishna Prabhu and Stokes, {Robert J.} and Yitzhak Yitzhaky",

booktitle = "Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI",

address = "United States",

}

Dror, I, Birman, R, Lachmani, A, Shmailov, D & Hadar, O 2022, Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks. in H Bouma, R Prabhu, RJ Stokes & Y Yitzhaky (eds), Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI., 122750I, Proceedings of SPIE - The International Society for Optical Engineering, vol. 12275, SPIE, Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI 2022, Berlin, Germany, 5/09/22. https://doi.org/10.1117/12.2638358

Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks. / Dror, Itai; Birman, Raz; Lachmani, Aviram et al.
Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI. ed. / Henri Bouma; Radhakrishna Prabhu; Robert J. Stokes; Yitzhak Yitzhaky. SPIE, 2022. 122750I (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 12275).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks

AU - Dror, Itai

AU - Birman, Raz

AU - Lachmani, Aviram

AU - Shmailov, David

AU - Hadar, Ofer

PY - 2022/1/1

Y1 - 2022/1/1

N2 - Image classification tasks leverage CNN to yield accurate results that supersede their predecessor human-crafted algorithms. Applicable use cases include Autonomous, Face, Medical Imaging, and more. Along with the growing use of AI image classification applications, we see emerging research on the robustness of such models to adversarial attacks, which take advantage of the unique vulnerabilities of the Artificial Intelligence (AI) models to skew their classification results. While not visible to the Human Visual System (HVS), these attacks mislead the algorithms and yield wrong classification results. To be incorporated securely enough in real-world applications, AI-based image classification algorithms require protection that will increase their robustness to adversarial attacks. We propose replacing the commonly used Rectifier Linear Unit (ReLU) Activation Function (AF), which is piecewise linear, with non-linear AF to increase their robustness to adversarial attacks. This approach has been considered in recent research and is motivated by the observation that non-linear AF tends to diminish the effect of adversarial perturbations in the DNN layers. To gain credibility of the approach, we have applied Fast Sign Gradient Method (FGSM), and Hop-Skip-Jump (HSJ) attacks to a trained classification model of the MNIST dataset. We then replaced the AF of the model with non-linear AF (Sigmoid, GeLU, ELU, SeLU, and Tanh). We concluded that while attacks on the original model have a 100% success rate, the attack success rate is dropped by an average of 10% when non-linear AF is used.

AB - Image classification tasks leverage CNN to yield accurate results that supersede their predecessor human-crafted algorithms. Applicable use cases include Autonomous, Face, Medical Imaging, and more. Along with the growing use of AI image classification applications, we see emerging research on the robustness of such models to adversarial attacks, which take advantage of the unique vulnerabilities of the Artificial Intelligence (AI) models to skew their classification results. While not visible to the Human Visual System (HVS), these attacks mislead the algorithms and yield wrong classification results. To be incorporated securely enough in real-world applications, AI-based image classification algorithms require protection that will increase their robustness to adversarial attacks. We propose replacing the commonly used Rectifier Linear Unit (ReLU) Activation Function (AF), which is piecewise linear, with non-linear AF to increase their robustness to adversarial attacks. This approach has been considered in recent research and is motivated by the observation that non-linear AF tends to diminish the effect of adversarial perturbations in the DNN layers. To gain credibility of the approach, we have applied Fast Sign Gradient Method (FGSM), and Hop-Skip-Jump (HSJ) attacks to a trained classification model of the MNIST dataset. We then replaced the AF of the model with non-linear AF (Sigmoid, GeLU, ELU, SeLU, and Tanh). We concluded that while attacks on the original model have a 100% success rate, the attack success rate is dropped by an average of 10% when non-linear AF is used.

KW - Activation Functions

KW - Adversarial Attacks

KW - Boundary Attack

KW - Deep Learning

KW - HopSkipJump Attack

UR - http://www.scopus.com/inward/record.url?scp=85145433529&partnerID=8YFLogxK

U2 - 10.1117/12.2638358

DO - 10.1117/12.2638358

M3 - Conference contribution

T3 - Proceedings of SPIE - The International Society for Optical Engineering

BT - Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI

A2 - Bouma, Henri

A2 - Prabhu, Radhakrishna

A2 - Stokes, Robert J.

A2 - Yitzhaky, Yitzhak

PB - SPIE

T2 - Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI 2022

Y2 - 5 September 2022 through 6 September 2022

ER -

Dror I, Birman R, Lachmani A, Shmailov D, Hadar O. Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks. In Bouma H, Prabhu R, Stokes RJ, Yitzhaky Y, editors, Counterterrorism, Crime Fighting, Forensics, and Surveillance Technologies VI. SPIE. 2022. 122750I. (Proceedings of SPIE - The International Society for Optical Engineering). doi: 10.1117/12.2638358

Using Non-Linear Activation Functions to increase robustness of AI models to adversarial attacks

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this