|
Neural networks continue to be vulnerable to adversarial attacks. In addressing this, two primary defensive strategies have emerged based on network composition: those targeting individual networks and those grounded in ensemblebased strategies. While merging both strategies is ideal, on edge devices, a combined defense that scales with ensemble size could result in significant inference latency increases. Many of the ensemble based approaches in the literature offer robust protection while necessitating large ensemble size. To address the challenge of deploying ensemble based adversarial defenses on edge device, this work introduces the Categorized Ensemble networks (CAEN) training methodology. CAEN’s foundation lies in two observations: 1. Under adversarial conditions, models frequently confuse conceptually contrastive classes with each-other and 2. Assigning soft label values to contrastive class pairs enhances network resilience against adversarial attacks. Building on these insights, CAEN initially identifies contrastive classes under Projected Gradient Decent (PGD) based attacks through a confusion matrix. It then formulates the problem of pairing contrastive classes across ensemble members as an Integer Linear Program (ILP). Following this, CAEN applies soft label assignments to identified contrastive class pairs during the ensemble training process. By averaging the outputs of the independently trained ensemble members, a CAEN ensemble is formed. CAEN training surpasses current state-of-theart robust ensemble training techniques, achieving an average 1.11X/1.57X improvement in robust accuracy against whitebox and black-box attacks. Additionally, by limiting ensemble members to just two networks, CAEN training produces ensembles that offer robust protection while reducing runtime FLOPs by 16% compared to SOTA, making CAEN ensembles suitable for deployment on edge devices.
|
