-
Knowledge Assembly: Semi-Supervised Multi-Task Learning from Multiple Datasets with Disjoint Labels
Authors:
Federica Spinola,
Philipp Benz,
Minhyeong Yu,
Tae-hoon Kim
Abstract:
In real-world scenarios we often need to perform multiple tasks simultaneously. Multi-Task Learning (MTL) is an adequate method to do so, but usually requires datasets labeled for all tasks. We propose a method that can leverage datasets labeled for only some of the tasks in the MTL framework. Our work, Knowledge Assembly (KA), learns multiple tasks from disjoint datasets by leveraging the unlabel…
▽ More
In real-world scenarios we often need to perform multiple tasks simultaneously. Multi-Task Learning (MTL) is an adequate method to do so, but usually requires datasets labeled for all tasks. We propose a method that can leverage datasets labeled for only some of the tasks in the MTL framework. Our work, Knowledge Assembly (KA), learns multiple tasks from disjoint datasets by leveraging the unlabeled data in a semi-supervised manner, using model augmentation for pseudo-supervision. Whilst KA can be implemented on any existing MTL networks, we test our method on jointly learning person re-identification (reID) and pedestrian attribute recognition (PAR). We surpass the single task fully-supervised performance by $4.2\%$ points for reID and $0.9\%$ points for PAR.
△ Less
Submitted 15 June, 2023;
originally announced June 2023.
-
Single Flux Quantum-Based Digital Control of Superconducting Qubits in a Multi-Chip Module
Authors:
Chuan-Hong Liu,
Andrew Ballard,
David Olaya,
Daniel R. Schmidt,
John Biesecker,
Tammy Lucas,
Joel Ullom,
Shravan Patel,
Owen Rafferty,
Alexander Opremcak,
Kenneth Dodge,
Vito Iaia,
Tianna McBroom,
Jonathan L. Dubois,
Pete F. Hopkins,
Samuel P. Benz,
Britton L. T. Plourde,
Robert McDermott
Abstract:
The single flux quantum (SFQ) digital superconducting logic family has been proposed for the scalable control of next-generation superconducting qubit arrays. In the initial implementation, SFQ-based gate fidelity was limited by quasiparticle (QP) poisoning induced by the dissipative on-chip SFQ driver circuit. In this work, we introduce a multi-chip module architecture to suppress phonon-mediated…
▽ More
The single flux quantum (SFQ) digital superconducting logic family has been proposed for the scalable control of next-generation superconducting qubit arrays. In the initial implementation, SFQ-based gate fidelity was limited by quasiparticle (QP) poisoning induced by the dissipative on-chip SFQ driver circuit. In this work, we introduce a multi-chip module architecture to suppress phonon-mediated QP poisoning. Here, the SFQ elements and qubits are fabricated on separate chips that are joined with In bump bonds. We use interleaved randomized benchmarking to characterize the fidelity of SFQ-based gates, and we demonstrate an error per Clifford gate of 1.2(1)%, an order-of-magnitude reduction over the gate error achieved in the initial realization of SFQ-based qubit control. We use purity benchmarking to quantify the contribution of incoherent error at 0.96(2)%; we attribute this error to photon-mediated QP poisoning mediated by the resonant mm-wave antenna modes of the qubit and SFQ-qubit coupler. We anticipate that a straightforward redesign of the SFQ driver circuit to limit the bandwidth of the SFQ pulses will eliminate this source of infidelity, allowing SFQ-based gates with fidelity approaching theoretical limits, namely 99.9% for resonant sequences and 99.99% for more complex pulse sequences involving variable pulse-to-pulse separation.
△ Less
Submitted 13 January, 2023;
originally announced January 2023.
-
Booster-SHOT: Boosting Stacked Homography Transformations for Multiview Pedestrian Detection with Attention
Authors:
**woo Hwang,
Philipp Benz,
Tae-hoon Kim
Abstract:
Improving multi-view aggregation is integral for multi-view pedestrian detection, which aims to obtain a bird's-eye-view pedestrian occupancy map from images captured through a set of calibrated cameras. Inspired by the success of attention modules for deep neural networks, we first propose a Homography Attention Module (HAM) which is shown to boost the performance of existing end-to-end multiview…
▽ More
Improving multi-view aggregation is integral for multi-view pedestrian detection, which aims to obtain a bird's-eye-view pedestrian occupancy map from images captured through a set of calibrated cameras. Inspired by the success of attention modules for deep neural networks, we first propose a Homography Attention Module (HAM) which is shown to boost the performance of existing end-to-end multiview detection approaches by utilizing a novel channel gate and spatial gate. Additionally, we propose Booster-SHOT, an end-to-end convolutional approach to multiview pedestrian detection incorporating our proposed HAM as well as elements from previous approaches such as view-coherent augmentation or stacked homography transformations. Booster-SHOT achieves 92.9% and 94.2% for MODA on Wildtrack and MultiviewX respectively, outperforming the state-of-the-art by 1.4% on Wildtrack and 0.5% on MultiviewX, achieving state-of-the-art performance overall for standard evaluation metrics used in multi-view pedestrian detection.
△ Less
Submitted 19 August, 2022;
originally announced August 2022.
-
Privacy Safe Representation Learning via Frequency Filtering Encoder
Authors:
Jonghu Jeong,
Minyong Cho,
Philipp Benz,
**woo Hwang,
Jeewook Kim,
Seungkwan Lee,
Tae-hoon Kim
Abstract:
Deep learning models are increasingly deployed in real-world applications. These models are often deployed on the server-side and receive user data in an information-rich representation to solve a specific task, such as image classification. Since images can contain sensitive information, which users might not be willing to share, privacy protection becomes increasingly important. Adversarial Repr…
▽ More
Deep learning models are increasingly deployed in real-world applications. These models are often deployed on the server-side and receive user data in an information-rich representation to solve a specific task, such as image classification. Since images can contain sensitive information, which users might not be willing to share, privacy protection becomes increasingly important. Adversarial Representation Learning (ARL) is a common approach to train an encoder that runs on the client-side and obfuscates an image. It is assumed, that the obfuscated image can safely be transmitted and used for the task on the server without privacy concerns. However, in this work, we find that training a reconstruction attacker can successfully recover the original image of existing ARL methods. To this end, we introduce a novel ARL method enhanced through low-pass filtering, limiting the available information amount to be encoded in the frequency domain. Our experimental results reveal that our approach withstands reconstruction attacks while outperforming previous state-of-the-art methods regarding the privacy-utility trade-off. We further conduct a user study to qualitatively assess our defense of the reconstruction attack.
△ Less
Submitted 4 August, 2022;
originally announced August 2022.
-
Investigating Top-$k$ White-Box and Transferable Black-box Attack
Authors:
Chaoning Zhang,
Philipp Benz,
Adil Karjauv,
Jae Won Cho,
Kang Zhang,
In So Kweon
Abstract:
Existing works have identified the limitation of top-$1$ attack success rate (ASR) as a metric to evaluate the attack strength but exclusively investigated it in the white-box setting, while our work extends it to a more practical black-box setting: transferable attack. It is widely reported that stronger I-FGSM transfers worse than simple FGSM, leading to a popular belief that transferability is…
▽ More
Existing works have identified the limitation of top-$1$ attack success rate (ASR) as a metric to evaluate the attack strength but exclusively investigated it in the white-box setting, while our work extends it to a more practical black-box setting: transferable attack. It is widely reported that stronger I-FGSM transfers worse than simple FGSM, leading to a popular belief that transferability is at odds with the white-box attack strength. Our work challenges this belief with empirical finding that stronger attack actually transfers better for the general top-$k$ ASR indicated by the interest class rank (ICR) after attack. For increasing the attack strength, with an intuitive interpretation of the logit gradient from the geometric perspective, we identify that the weakness of the commonly used losses lie in prioritizing the speed to fool the network instead of maximizing its strength. To this end, we propose a new normalized CE loss that guides the logit to be updated in the direction of implicitly maximizing its rank distance from the ground-truth class. Extensive results in various settings have verified that our proposed new loss is simple yet effective for top-$k$ attack. Code is available at: \url{https://bit.ly/3uCiomP}
△ Less
Submitted 30 March, 2022;
originally announced April 2022.
-
Digital control of a superconducting qubit using a Josephson pulse generator at 3 K
Authors:
L. Howe,
M. Castellanos-Beltran,
A. J. Sirois,
D. Olaya,
J. Biesecker,
P. D. Dresselhaus,
S. P. Benz,
P. F. Hopkins
Abstract:
Scaling of quantum computers to fault-tolerant levels relies critically on the integration of energy-efficient, stable, and reproducible qubit control and readout electronics. In comparison to traditional semiconductor control electronics (TSCE) located at room temperature, the signals generated by Josephson junction (JJ) based rf sources benefit from small device sizes, low power dissipation, int…
▽ More
Scaling of quantum computers to fault-tolerant levels relies critically on the integration of energy-efficient, stable, and reproducible qubit control and readout electronics. In comparison to traditional semiconductor control electronics (TSCE) located at room temperature, the signals generated by Josephson junction (JJ) based rf sources benefit from small device sizes, low power dissipation, intrinsic calibration, superior reproducibility, and insensitivity to ambient fluctuations. Previous experiments to co-locate qubits and JJ-based control electronics resulted in quasiparticle poisoning of the qubit; degrading the qubit's coherence and lifetime. In this paper, we digitally control a 0.01~K transmon qubit with pulses from a Josephson pulse generator (JPG) located at the 3~K stage of a dilution refrigerator. We directly compare the qubit lifetime $T_1$, coherence time $T_2^*$, and thermal occupation $P_{th}$ when the qubit is controlled by the JPG circuit versus the TSCE setup. We find agreement to within the daily fluctuations on $\pm 0.5~μ$s and $\pm 2~μ$s for $T_1$ and $T_2^*$, respectively, and agreement to within the 1\% error for $P_{th}$. Additionally, we perform randomized benchmarking to measure an average JPG gate error of $2.1 \times 10^{-2}$. In combination with a small device size ($<25$~mm$^2$) and low on-chip power dissipation ($\ll 100~μ$W), these results are an important step towards demonstrating the viability of using JJ-based control electronics located at temperature stages higher than the mixing chamber stage in highly-scaled superconducting quantum information systems.
△ Less
Submitted 22 February, 2022; v1 submitted 24 November, 2021;
originally announced November 2021.
-
Adversarial Robustness Comparison of Vision Transformer and MLP-Mixer to CNNs
Authors:
Philipp Benz,
Soomin Ham,
Chaoning Zhang,
Adil Karjauv,
In So Kweon
Abstract:
Convolutional Neural Networks (CNNs) have become the de facto gold standard in computer vision applications in the past years. Recently, however, new model architectures have been proposed challenging the status quo. The Vision Transformer (ViT) relies solely on attention modules, while the MLP-Mixer architecture substitutes the self-attention modules with Multi-Layer Perceptrons (MLPs). Despite t…
▽ More
Convolutional Neural Networks (CNNs) have become the de facto gold standard in computer vision applications in the past years. Recently, however, new model architectures have been proposed challenging the status quo. The Vision Transformer (ViT) relies solely on attention modules, while the MLP-Mixer architecture substitutes the self-attention modules with Multi-Layer Perceptrons (MLPs). Despite their great success, CNNs have been widely known to be vulnerable to adversarial attacks, causing serious concerns for security-sensitive applications. Thus, it is critical for the community to know whether the newly proposed ViT and MLP-Mixer are also vulnerable to adversarial attacks. To this end, we empirically evaluate their adversarial robustness under several adversarial attack setups and benchmark them against the widely used CNNs. Overall, we find that the two architectures, especially ViT, are more robust than their CNN models. Using a toy example, we also provide empirical evidence that the lower adversarial robustness of CNNs can be partially attributed to their shift-invariant property. Our frequency analysis suggests that the most robust ViT architectures tend to rely more on low-frequency features compared with CNNs. Additionally, we have an intriguing finding that MLP-Mixer is extremely vulnerable to universal adversarial perturbations.
△ Less
Submitted 11 October, 2021; v1 submitted 6 October, 2021;
originally announced October 2021.
-
Universal Adversarial Training with Class-Wise Perturbations
Authors:
Philipp Benz,
Chaoning Zhang,
Adil Karjauv,
In So Kweon
Abstract:
Despite their overwhelming success on a wide range of applications, convolutional neural networks (CNNs) are widely recognized to be vulnerable to adversarial examples. This intriguing phenomenon led to a competition between adversarial attacks and defense techniques. So far, adversarial training is the most widely used method for defending against adversarial attacks. It has also been extended to…
▽ More
Despite their overwhelming success on a wide range of applications, convolutional neural networks (CNNs) are widely recognized to be vulnerable to adversarial examples. This intriguing phenomenon led to a competition between adversarial attacks and defense techniques. So far, adversarial training is the most widely used method for defending against adversarial attacks. It has also been extended to defend against universal adversarial perturbations (UAPs). The SOTA universal adversarial training (UAT) method optimizes a single perturbation for all training samples in the mini-batch. In this work, we find that a UAP does not attack all classes equally. Inspired by this observation, we identify it as the source of the model having unbalanced robustness. To this end, we improve the SOTA UAT by proposing to utilize class-wise UAPs during adversarial training. On multiple benchmark datasets, our class-wise UAT leads superior performance for both clean accuracy and adversarial robustness against universal attack.
△ Less
Submitted 7 April, 2021;
originally announced April 2021.
-
A Brief Survey on Deep Learning Based Data Hiding
Authors:
Chaoning Zhang,
Chenguo Lin,
Philipp Benz,
Kejiang Chen,
Weiming Zhang,
In So Kweon
Abstract:
Data hiding is the art of concealing messages with limited perceptual changes. Recently, deep learning has enriched it from various perspectives with significant progress. In this work, we conduct a brief yet comprehensive review of existing literature for deep learning based data hiding (deep hiding) by first classifying it according to three essential properties (i.e., capacity, security and rob…
▽ More
Data hiding is the art of concealing messages with limited perceptual changes. Recently, deep learning has enriched it from various perspectives with significant progress. In this work, we conduct a brief yet comprehensive review of existing literature for deep learning based data hiding (deep hiding) by first classifying it according to three essential properties (i.e., capacity, security and robustness), and outline three commonly used architectures. Based on this, we summarize specific strategies for different applications of data hiding, including basic hiding, steganography, watermarking and light field messaging. Finally, further insight into deep hiding is provided by incorporating the perspective of adversarial attack.
△ Less
Submitted 19 April, 2022; v1 submitted 2 March, 2021;
originally announced March 2021.
-
A Survey On Universal Adversarial Attack
Authors:
Chaoning Zhang,
Philipp Benz,
Chenguo Lin,
Adil Karjauv,
**g Wu,
In So Kweon
Abstract:
The intriguing phenomenon of adversarial examples has attracted significant attention in machine learning and what might be more surprising to the community is the existence of universal adversarial perturbations (UAPs), i.e. a single perturbation to fool the target DNN for most images. With the focus on UAP against deep classifiers, this survey summarizes the recent progress on universal adversar…
▽ More
The intriguing phenomenon of adversarial examples has attracted significant attention in machine learning and what might be more surprising to the community is the existence of universal adversarial perturbations (UAPs), i.e. a single perturbation to fool the target DNN for most images. With the focus on UAP against deep classifiers, this survey summarizes the recent progress on universal adversarial attacks, discussing the challenges from both the attack and defense sides, as well as the reason for the existence of UAP. We aim to extend this work as a dynamic survey that will regularly update its content to follow new works regarding UAP or universal attack in a wide range of domains, such as image, audio, video, text, etc. Relevant updates will be discussed at: https://bit.ly/2SbQlLG. We welcome authors of future works in this field to contact us for including your new finding.
△ Less
Submitted 4 January, 2022; v1 submitted 2 March, 2021;
originally announced March 2021.
-
Universal Adversarial Perturbations Through the Lens of Deep Steganography: Towards A Fourier Perspective
Authors:
Chaoning Zhang,
Philipp Benz,
Adil Karjauv,
In So Kweon
Abstract:
The booming interest in adversarial attacks stems from a misalignment between human vision and a deep neural network (DNN), i.e. a human imperceptible perturbation fools the DNN. Moreover, a single perturbation, often called universal adversarial perturbation (UAP), can be generated to fool the DNN for most images. A similar misalignment phenomenon has recently also been observed in the deep stega…
▽ More
The booming interest in adversarial attacks stems from a misalignment between human vision and a deep neural network (DNN), i.e. a human imperceptible perturbation fools the DNN. Moreover, a single perturbation, often called universal adversarial perturbation (UAP), can be generated to fool the DNN for most images. A similar misalignment phenomenon has recently also been observed in the deep steganography task, where a decoder network can retrieve a secret image back from a slightly perturbed cover image. We attempt explaining the success of both in a unified manner from the Fourier perspective. We perform task-specific and joint analysis and reveal that (a) frequency is a key factor that influences their performance based on the proposed entropy metric for quantifying the frequency distribution; (b) their success can be attributed to a DNN being highly sensitive to high-frequency content. We also perform feature layer analysis for providing deep insight on model generalization and robustness. Additionally, we propose two new variants of universal perturbations: (1) Universal Secret Adversarial Perturbation (USAP) that simultaneously achieves attack and hiding; (2) high-pass UAP (HP-UAP) that is less visible to the human eye.
△ Less
Submitted 12 February, 2021;
originally announced February 2021.
-
Towards Robust Data Hiding Against (JPEG) Compression: A Pseudo-Differentiable Deep Learning Approach
Authors:
Chaoning Zhang,
Adil Karjauv,
Philipp Benz,
In So Kweon
Abstract:
Data hiding is one widely used approach for protecting authentication and ownership. Most multimedia content like images and videos are transmitted or saved in the compressed form. This kind of lossy compression, such as JPEG, can destroy the hidden data, which raises the need of robust data hiding. It is still an open challenge to achieve the goal of data hiding that can be against these compress…
▽ More
Data hiding is one widely used approach for protecting authentication and ownership. Most multimedia content like images and videos are transmitted or saved in the compressed form. This kind of lossy compression, such as JPEG, can destroy the hidden data, which raises the need of robust data hiding. It is still an open challenge to achieve the goal of data hiding that can be against these compressions. Recently, deep learning has shown large success in data hiding, while non-differentiability of JPEG makes it challenging to train a deep pipeline for improving robustness against lossy compression. The existing SOTA approaches replace the non-differentiable parts with differentiable modules that perform similar operations. Multiple limitations exist: (a) large engineering effort; (b) requiring a white-box knowledge of compression attacks; (c) only works for simple compression like JPEG. In this work, we propose a simple yet effective approach to address all the above limitations at once. Beyond JPEG, our approach has been shown to improve robustness against various image and video lossy compression algorithms.
△ Less
Submitted 30 December, 2020;
originally announced January 2021.
-
Robustness May Be at Odds with Fairness: An Empirical Study on Class-wise Accuracy
Authors:
Philipp Benz,
Chaoning Zhang,
Adil Karjauv,
In So Kweon
Abstract:
Convolutional neural networks (CNNs) have made significant advancement, however, they are widely known to be vulnerable to adversarial attacks. Adversarial training is the most widely used technique for improving adversarial robustness to strong white-box attacks. Prior works have been evaluating and improving the model average robustness without class-wise evaluation. The average evaluation alone…
▽ More
Convolutional neural networks (CNNs) have made significant advancement, however, they are widely known to be vulnerable to adversarial attacks. Adversarial training is the most widely used technique for improving adversarial robustness to strong white-box attacks. Prior works have been evaluating and improving the model average robustness without class-wise evaluation. The average evaluation alone might provide a false sense of robustness. For example, the attacker can focus on attacking the vulnerable class, which can be dangerous, especially, when the vulnerable class is a critical one, such as "human" in autonomous driving. We propose an empirical study on the class-wise accuracy and robustness of adversarially trained models. We find that there exists inter-class discrepancy for accuracy and robustness even when the training dataset has an equal number of samples for each class. For example, in CIFAR10, "cat" is much more vulnerable than other classes. Moreover, this inter-class discrepancy also exists for normally trained models, while adversarial training tends to further increase the discrepancy. Our work aims to investigate the following questions: (a) is the phenomenon of inter-class discrepancy universal regardless of datasets, model architectures and optimization hyper-parameters? (b) If so, what can be possible explanations for the inter-class discrepancy? (c) Can the techniques proposed in the long tail classification be readily extended to adversarial training for addressing the inter-class discrepancy?
△ Less
Submitted 10 October, 2021; v1 submitted 26 October, 2020;
originally announced October 2020.
-
ResNet or DenseNet? Introducing Dense Shortcuts to ResNet
Authors:
Chaoning Zhang,
Philipp Benz,
Dawit Mureja Argaw,
Seokju Lee,
Junsik Kim,
Francois Rameau,
Jean-Charles Bazin,
In So Kweon
Abstract:
ResNet or DenseNet? Nowadays, most deep learning based approaches are implemented with seminal backbone networks, among them the two arguably most famous ones are ResNet and DenseNet. Despite their competitive performance and overwhelming popularity, inherent drawbacks exist for both of them. For ResNet, the identity shortcut that stabilizes training also limits its representation capacity, while…
▽ More
ResNet or DenseNet? Nowadays, most deep learning based approaches are implemented with seminal backbone networks, among them the two arguably most famous ones are ResNet and DenseNet. Despite their competitive performance and overwhelming popularity, inherent drawbacks exist for both of them. For ResNet, the identity shortcut that stabilizes training also limits its representation capacity, while DenseNet has a higher capacity with multi-layer feature concatenation. However, the dense concatenation causes a new problem of requiring high GPU memory and more training time. Partially due to this, it is not a trivial choice between ResNet and DenseNet. This paper provides a unified perspective of dense summation to analyze them, which facilitates a better understanding of their core difference. We further propose dense weighted normalized shortcuts as a solution to the dilemma between them. Our proposed dense shortcut inherits the design philosophy of simple design in ResNet and DenseNet. On several benchmark datasets, the experimental results show that the proposed DSNet achieves significantly better results than ResNet, and achieves comparable performance as DenseNet but requiring fewer computation resources.
△ Less
Submitted 23 October, 2020;
originally announced October 2020.
-
Revisiting Batch Normalization for Improving Corruption Robustness
Authors:
Philipp Benz,
Chaoning Zhang,
Adil Karjauv,
In So Kweon
Abstract:
The performance of DNNs trained on clean images has been shown to decrease when the test images have common corruptions. In this work, we interpret corruption robustness as a domain shift and propose to rectify batch normalization (BN) statistics for improving model robustness. This is motivated by perceiving the shift from the clean domain to the corruption domain as a style shift that is represe…
▽ More
The performance of DNNs trained on clean images has been shown to decrease when the test images have common corruptions. In this work, we interpret corruption robustness as a domain shift and propose to rectify batch normalization (BN) statistics for improving model robustness. This is motivated by perceiving the shift from the clean domain to the corruption domain as a style shift that is represented by the BN statistics. We find that simply estimating and adapting the BN statistics on a few (32 for instance) representation samples, without retraining the model, improves the corruption robustness by a large margin on several benchmark datasets with a wide range of model architectures. For example, on ImageNet-C, statistics adaptation improves the top1 accuracy of ResNet50 from 39.2% to 48.7%. Moreover, we find that this technique can further improve state-of-the-art robust models from 58.1% to 63.3%.
△ Less
Submitted 28 January, 2021; v1 submitted 7 October, 2020;
originally announced October 2020.
-
Batch Normalization Increases Adversarial Vulnerability and Decreases Adversarial Transferability: A Non-Robust Feature Perspective
Authors:
Philipp Benz,
Chaoning Zhang,
In So Kweon
Abstract:
Batch normalization (BN) has been widely used in modern deep neural networks (DNNs) due to improved convergence. BN is observed to increase the model accuracy while at the cost of adversarial robustness. There is an increasing interest in the ML community to understand the impact of BN on DNNs, especially related to the model robustness. This work attempts to understand the impact of BN on DNNs fr…
▽ More
Batch normalization (BN) has been widely used in modern deep neural networks (DNNs) due to improved convergence. BN is observed to increase the model accuracy while at the cost of adversarial robustness. There is an increasing interest in the ML community to understand the impact of BN on DNNs, especially related to the model robustness. This work attempts to understand the impact of BN on DNNs from a non-robust feature perspective. Straightforwardly, the improved accuracy can be attributed to the better utilization of useful features. It remains unclear whether BN mainly favors learning robust features (RFs) or non-robust features (NRFs). Our work presents empirical evidence that supports that BN shifts a model towards being more dependent on NRFs. To facilitate the analysis of such a feature robustness shift, we propose a framework for disentangling robust usefulness into robustness and usefulness. Extensive analysis under the proposed framework yields valuable insight on the DNN behavior regarding robustness, e.g. DNNs first mainly learn RFs and then NRFs. The insight that RFs transfer better than NRFs, further inspires simple techniques to strengthen transfer-based black-box attacks.
△ Less
Submitted 7 October, 2021; v1 submitted 7 October, 2020;
originally announced October 2020.
-
CD-UAP: Class Discriminative Universal Adversarial Perturbation
Authors:
Chaoning Zhang,
Philipp Benz,
Tooba Imtiaz,
In So Kweon
Abstract:
A single universal adversarial perturbation (UAP) can be added to all natural images to change most of their predicted class labels. It is of high practical relevance for an attacker to have flexible control over the targeted classes to be attacked, however, the existing UAP method attacks samples from all classes. In this work, we propose a new universal attack method to generate a single perturb…
▽ More
A single universal adversarial perturbation (UAP) can be added to all natural images to change most of their predicted class labels. It is of high practical relevance for an attacker to have flexible control over the targeted classes to be attacked, however, the existing UAP method attacks samples from all classes. In this work, we propose a new universal attack method to generate a single perturbation that fools a target network to misclassify only a chosen group of classes, while having limited influence on the remaining classes. Since the proposed attack generates a universal adversarial perturbation that is discriminative to targeted and non-targeted classes, we term it class discriminative universal adversarial perturbation (CD-UAP). We propose one simple yet effective algorithm framework, under which we design and compare various loss function configurations tailored for the class discriminative universal attack. The proposed approach has been evaluated with extensive experiments on various benchmark datasets. Additionally, our proposed approach achieves state-of-the-art performance for the original task of UAP attacking all classes, which demonstrates the effectiveness of our approach.
△ Less
Submitted 7 October, 2020;
originally announced October 2020.
-
Double Targeted Universal Adversarial Perturbations
Authors:
Philipp Benz,
Chaoning Zhang,
Tooba Imtiaz,
In So Kweon
Abstract:
Despite their impressive performance, deep neural networks (DNNs) are widely known to be vulnerable to adversarial attacks, which makes it challenging for them to be deployed in security-sensitive applications, such as autonomous driving. Image-dependent perturbations can fool a network for one specific image, while universal adversarial perturbations are capable of fooling a network for samples f…
▽ More
Despite their impressive performance, deep neural networks (DNNs) are widely known to be vulnerable to adversarial attacks, which makes it challenging for them to be deployed in security-sensitive applications, such as autonomous driving. Image-dependent perturbations can fool a network for one specific image, while universal adversarial perturbations are capable of fooling a network for samples from all classes without selection. We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations. This universal perturbation attacks one targeted source class to sink class, while having a limited adversarial effect on other non-targeted source classes, for avoiding raising suspicions. Targeting the source and sink class simultaneously, we term it double targeted attack (DTA). This provides an attacker with the freedom to perform precise attacks on a DNN model while raising little suspicion. We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.
△ Less
Submitted 7 October, 2020;
originally announced October 2020.
-
Data from Model: Extracting Data from Non-robust and Robust Models
Authors:
Philipp Benz,
Chaoning Zhang,
Tooba Imtiaz,
In-So Kweon
Abstract:
The essence of deep learning is to exploit data to train a deep neural network (DNN) model. This work explores the reverse process of generating data from a model, attempting to reveal the relationship between the data and the model. We repeat the process of Data to Model (DtM) and Data from Model (DfM) in sequence and explore the loss of feature map** information by measuring the accuracy drop…
▽ More
The essence of deep learning is to exploit data to train a deep neural network (DNN) model. This work explores the reverse process of generating data from a model, attempting to reveal the relationship between the data and the model. We repeat the process of Data to Model (DtM) and Data from Model (DfM) in sequence and explore the loss of feature map** information by measuring the accuracy drop on the original validation dataset. We perform this experiment for both a non-robust and robust origin model. Our results show that the accuracy drop is limited even after multiple sequences of DtM and DfM, especially for robust models. The success of this cycling transformation can be attributed to the shared feature map** existing in data and model. Using the same data, we observe that different DtM processes result in models having different features, especially for different network architecture families, even though they achieve comparable performance.
△ Less
Submitted 13 July, 2020;
originally announced July 2020.
-
Understanding Adversarial Examples from the Mutual Influence of Images and Perturbations
Authors:
Chaoning Zhang,
Philipp Benz,
Tooba Imtiaz,
In-So Kweon
Abstract:
A wide variety of works have explored the reason for the existence of adversarial examples, but there is no consensus on the explanation. We propose to treat the DNN logits as a vector for feature representation, and exploit them to analyze the mutual influence of two independent inputs based on the Pearson correlation coefficient (PCC). We utilize this vector representation to understand adversar…
▽ More
A wide variety of works have explored the reason for the existence of adversarial examples, but there is no consensus on the explanation. We propose to treat the DNN logits as a vector for feature representation, and exploit them to analyze the mutual influence of two independent inputs based on the Pearson correlation coefficient (PCC). We utilize this vector representation to understand adversarial examples by disentangling the clean images and adversarial perturbations, and analyze their influence on each other. Our results suggest a new perspective towards the relationship between images and universal perturbations: Universal perturbations contain dominant features, and images behave like noise to them. This feature perspective leads to a new method for generating targeted universal adversarial perturbations using random source images. We are the first to achieve the challenging task of a targeted universal attack without utilizing original training data. Our approach using a proxy dataset achieves comparable performance to the state-of-the-art baselines which utilize the original training dataset.
△ Less
Submitted 13 July, 2020;
originally announced July 2020.
-
Fast Perception, Planning, and Execution for a Robotic Butler: Wheeled Humanoid M-Hubo
Authors:
Moonyoung Lee,
Yu** Heo,
**yong Park,
Hyun-Dae Yang Ho-Deok Jang,
Philipp Benz,
Hyunsub Park,
In So Kweon,
Jun-Ho Oh
Abstract:
As the aging population grows at a rapid rate, there is an ever growing need for service robot platforms that can provide daily assistance at practical speed with reliable performance. In order to assist with daily tasks such as fetching a beverage, a service robot must be able to perceive its environment and generate corresponding motion trajectories. This becomes a challenging and computationall…
▽ More
As the aging population grows at a rapid rate, there is an ever growing need for service robot platforms that can provide daily assistance at practical speed with reliable performance. In order to assist with daily tasks such as fetching a beverage, a service robot must be able to perceive its environment and generate corresponding motion trajectories. This becomes a challenging and computationally complex problem when the environment is unknown and thus the path planner must sample numerous trajectories that often are sub-optimal, extending the execution time. To address this issue, we propose a unique strategy of integrating a 3D object detection pipeline with a kinematically optimal manipulation planner to significantly increase speed performance at runtime. In addition, we develop a new robotic butler system for a wheeled humanoid that is capable of fetching requested objects at 24% of the speed a human needs to fulfill the same task. The proposed system was evaluated and demonstrated in a real-world environment setup as well as in public exhibition.
△ Less
Submitted 2 January, 2020;
originally announced January 2020.
-
Propose-and-Attend Single Shot Detector
Authors:
Ho-Deok Jang,
Sanghyun Woo,
Philipp Benz,
**sun Park,
In So Kweon
Abstract:
We present a simple yet effective prediction module for a one-stage detector. The main process is conducted in a coarse-to-fine manner. First, the module roughly adjusts the default boxes to well capture the extent of target objects in an image. Second, given the adjusted boxes, the module aligns the receptive field of the convolution filters accordingly, not requiring any embedding layers. Both s…
▽ More
We present a simple yet effective prediction module for a one-stage detector. The main process is conducted in a coarse-to-fine manner. First, the module roughly adjusts the default boxes to well capture the extent of target objects in an image. Second, given the adjusted boxes, the module aligns the receptive field of the convolution filters accordingly, not requiring any embedding layers. Both steps build a propose-and-attend mechanism, mimicking two-stage detectors in a highly efficient manner. To verify its effectiveness, we apply the proposed module to a basic one-stage detector SSD. Our final model achieves an accuracy comparable to that of state-of-the-art detectors while using a fraction of their model parameters and computational overheads. Moreover, we found that the proposed module has two strong applications. 1) The module can be successfully integrated into a lightweight backbone, further pushing the efficiency of the one-stage detector. 2) The module also allows train-from-scratch without relying on any sophisticated base networks as previous methods do.
△ Less
Submitted 30 July, 2019;
originally announced July 2019.
-
Stochastic single flux quantum neuromorphic computing using magnetically tunable Josephson junctions
Authors:
S. E. Russek,
C. A. Donnelly,
M. L. Schneider,
B. Baek,
M. R. Pufall,
W. H. Rippard,
P. F. Hopkins,
P. D. Dresselhaus,
S. P. Benz
Abstract:
Single flux quantum (SFQ) circuits form a natural neuromorphic technology with SFQ pulses and superconducting transmission lines simulating action potentials and axons, respectively. Here we present a new component, magnetic Josephson junctions, that have a tunablility and re-configurability that was lacking from previous SFQ neuromorphic circuits. The nanoscale magnetic structure acts as a tunabl…
▽ More
Single flux quantum (SFQ) circuits form a natural neuromorphic technology with SFQ pulses and superconducting transmission lines simulating action potentials and axons, respectively. Here we present a new component, magnetic Josephson junctions, that have a tunablility and re-configurability that was lacking from previous SFQ neuromorphic circuits. The nanoscale magnetic structure acts as a tunable synaptic constituent that modifies the junction critical current. These circuits can operate near the thermal limit where stochastic firing of the neurons is an essential component of the technology. This technology has the ability to create complex neural systems with greater than 10^21 neural firings per second with approximately 1 W dissipation.
△ Less
Submitted 12 November, 2016;
originally announced December 2016.
-
Improved electronic measurement of the Boltzmann constant by Johnson noise Thermometry
Authors:
Jifeng Qu,
Samuel P Benz,
Alessio Pollarolo,
Horst Rogalla,
Weston L Tew,
Rod White,
Kunli Zhou
Abstract:
The unit of thermodynamic temperature, the kelvin, will be redefined in 2018 by fixing the value of the Boltzmann constant, k. The present CODATA recommended value of k is determined predominantly by acoustic gas-thermometry results. To provide a value of k based on different physical principles, purely electronic measurements of k were performed by using a Johnson noise thermometer to compare the…
▽ More
The unit of thermodynamic temperature, the kelvin, will be redefined in 2018 by fixing the value of the Boltzmann constant, k. The present CODATA recommended value of k is determined predominantly by acoustic gas-thermometry results. To provide a value of k based on different physical principles, purely electronic measurements of k were performed by using a Johnson noise thermometer to compare the thermal noise power of a 200 Ohm sensing resistor immersed in a triple-point-of-water cell to the noise power of a quantum-accurate pseudo-random noise waveform of nominally equal noise power. Measurements integrated over a bandwidth of 550 kHz and a total integration time of 33 days gave a measured value of k = 1.3806514(48)x10^-23 J/K, for which the relative standard uncertainty is 3.5x10^-6 and the relative offset from the CODATA 2010 value is +1.9x10^-6.
△ Less
Submitted 31 December, 2014;
originally announced January 2015.
-
Spin-transfer torque switching in nanopillar superconducting-magnetic hybrid Josephson junctions
Authors:
Burm Baek,
William H. Rippard,
Matthew R. Pufall,
Samuel P. Benz,
Stephen E. Russek,
Horst Rogalla,
Paul D. Dresselhaus
Abstract:
The combination of superconducting and magnetic materials to create novel superconducting devices has been motivated by the discovery of Josephson critical current (Ics) oscillations as a function of magnetic layer thickness and the demonstration of devices with switchable critical currents. However, none of the hybrid devices have shown any spintronic effects, such as spin-transfer torque, which…
▽ More
The combination of superconducting and magnetic materials to create novel superconducting devices has been motivated by the discovery of Josephson critical current (Ics) oscillations as a function of magnetic layer thickness and the demonstration of devices with switchable critical currents. However, none of the hybrid devices have shown any spintronic effects, such as spin-transfer torque, which are currently used in room-temperature magnetic devices, including spin-transfer torque random-access memory and spin-torque nano-oscillators. We have developed nanopillar Josephson junctions with a minimum feature size of 50 nm and magnetic barriers exhibiting magnetic pseudo-spin-valve behavior at 4 K. These devices allow current-induced magnetization switching that results in 20-fold changes in Ics. The current-induced magnetic switching is consistent with spin-transfer torque models for room-temperature magnetic devices. Our work demonstrates that devices that combine superconducting and spintronic functions show promise for the development of a nanoscale, nonvolatile, cryogenic memory technology.
△ Less
Submitted 16 October, 2014;
originally announced October 2014.
-
Hybrid superconducting-magnetic memory device using competing order parameters
Authors:
Burm Baek,
William H. Rippard,
Samuel P. Benz,
Stephen E. Russek,
Paul D. Dresselhaus
Abstract:
Superconducting devices, which rely on modulating a complex superconducting order parameter in a Josephson junction, have been developed for low power logic operations, high-frequency oscillators, and exquisite magnetic field sensors. Magnetic devices, which rely on the modulation of a local vector order parameter- the local magnetic moment, have been used as memory elements, high-frequency spin-t…
▽ More
Superconducting devices, which rely on modulating a complex superconducting order parameter in a Josephson junction, have been developed for low power logic operations, high-frequency oscillators, and exquisite magnetic field sensors. Magnetic devices, which rely on the modulation of a local vector order parameter- the local magnetic moment, have been used as memory elements, high-frequency spin-transfer oscillators, and magnetic field sensors. In a hybrid superconducting-magnetic device, these two order parameters compete, with one type of order suppressing the other. Recent interest in ultra-low-power, high-density cryogenic memories has spurred new interest in merging superconducting and magnetic behavior so as to exploit these two competing order parameters to produce novel switching elements. Here, we describe a reconfigurable two-layer magnetic spin valve integrated within a Josephson junction. Our measurements separate the suppression in the superconducting coupling due to the exchange field in the magnetic layers, which causes depairing of the supercurrent, from the suppression due to the magnetic field generated by the magnetic layers. The exchange field suppression of the superconducting order parameter is a tunable and switchable behavior that is also scalable to nanometer device dimensions. These devices are the first to demonstrate nonvolatile, size-independent switching of the Josephson coupling, in both magnitude and phase, and they may allow for the first nanoscale superconducting memory devices.
△ Less
Submitted 29 October, 2013; v1 submitted 8 October, 2013;
originally announced October 2013.
-
An Electronic Measurement of the Boltzmann Constant
Authors:
Samuel P. Benz,
Alessio Pollarolo,
Jifeng Qu,
Horst Rogalla,
Chiharu Urano,
Weston L. Tew,
Paul D. Dresselhaus,
D. Rod White
Abstract:
The Boltzmann constant was measured by comparing the Johnson noise of a resistor at the triple point of water with a quantum-based voltage reference signal generated with a superconducting Josephson-junction waveform synthesizer. The measured value of k = 1.380651(18) \times 10^-23 J/K is consistent with the current CODATA value and the combined uncertainties. This is our first measurement of k wi…
▽ More
The Boltzmann constant was measured by comparing the Johnson noise of a resistor at the triple point of water with a quantum-based voltage reference signal generated with a superconducting Josephson-junction waveform synthesizer. The measured value of k = 1.380651(18) \times 10^-23 J/K is consistent with the current CODATA value and the combined uncertainties. This is our first measurement of k with this electronic technique, and the first noise thermometry measurement to achieve a relative combined uncertainty of 13 parts in 10^6. We describe the most recent improvements to our Johnson Noise Thermometer that enabled the statistical uncertainty contribution to be reduced to seven parts in 10^6, as well as the further reduction of spurious systematic errors and EMI effects. The uncertainty budget for this measurement is discussed in detail.
△ Less
Submitted 31 December, 2010;
originally announced January 2011.