-
A Random Ensemble of Encrypted Vision Transformers for Adversarially Robust Defense
Authors:
Ryota Iijima,
Sayaka Shiota,
Hitoshi Kiya
Abstract:
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In previous studies, the use of models encrypted with a secret key was demonstrated to be robust against white-box attacks, but not against black-box ones. In this paper, we propose a novel method using the vision transformer (ViT) that is a random ensemble of encrypted models for enhancing robustness agains…
▽ More
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In previous studies, the use of models encrypted with a secret key was demonstrated to be robust against white-box attacks, but not against black-box ones. In this paper, we propose a novel method using the vision transformer (ViT) that is a random ensemble of encrypted models for enhancing robustness against both white-box and black-box attacks. In addition, a benchmark attack method, called AutoAttack, is applied to models to test adversarial robustness objectively. In experiments, the method was demonstrated to be robust against not only white-box attacks but also black-box ones in an image classification task on the CIFAR-10 and ImageNet datasets. The method was also compared with the state-of-the-art in a standardized benchmark for adversarial robustness, RobustBench, and it was verified to outperform conventional defenses in terms of clean accuracy and robust accuracy.
△ Less
Submitted 11 February, 2024;
originally announced February 2024.
-
A Random Ensemble of Encrypted models for Enhancing Robustness against Adversarial Examples
Authors:
Ryota Iijima,
Sayaka Shiota,
Hitoshi Kiya
Abstract:
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferab…
▽ More
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.
△ Less
Submitted 4 January, 2024;
originally announced January 2024.
-
Monitoring with Rich Data
Authors:
Mira Frick,
Ryota Iijima,
Yuhta Ishii
Abstract:
We consider moral hazard problems where a principal has access to rich monitoring data about an agent's action. Rather than focusing on optimal contracts (which are known to in general be complicated), we characterize the optimal rate at which the principal's payoffs can converge to the first-best payoff as the amount of data grows large. Our main result suggests a novel rationale for the widely o…
▽ More
We consider moral hazard problems where a principal has access to rich monitoring data about an agent's action. Rather than focusing on optimal contracts (which are known to in general be complicated), we characterize the optimal rate at which the principal's payoffs can converge to the first-best payoff as the amount of data grows large. Our main result suggests a novel rationale for the widely observed binary wage schemes, by showing that such simple contracts achieve the optimal convergence rate. Notably, in order to attain the optimal convergence rate, the principal must set a lenient cutoff for when the agent receives a high vs. low wage. In contrast, we find that other common contracts where wages vary more finely with observed data (e.g., linear contracts) approximate the first-best at a highly suboptimal rate. Finally, we show that the optimal convergence rate depends only on a simple summary statistic of the monitoring technology. This yields a detail-free ranking over monitoring technologies that quantifies their value for incentive provision in data-rich settings and applies regardless of the agent's specific utility or cost functions.
△ Less
Submitted 2 July, 2024; v1 submitted 27 December, 2023;
originally announced December 2023.
-
Block-Wise Encryption for Reliable Vision Transformer models
Authors:
Hitoshi Kiya,
Ryota Iijima,
Teru Nagamori
Abstract:
This article presents block-wise image encryption for the vision transformer and its applications. Perceptual image encryption for deep learning enables us not only to protect the visual information of plain images but to also embed unique features controlled with a key into images and models. However, when using conventional perceptual encryption methods, the performance of models is degraded due…
▽ More
This article presents block-wise image encryption for the vision transformer and its applications. Perceptual image encryption for deep learning enables us not only to protect the visual information of plain images but to also embed unique features controlled with a key into images and models. However, when using conventional perceptual encryption methods, the performance of models is degraded due to the influence of encryption. In this paper, we focus on block-wise encryption for the vision transformer, and we introduce three applications: privacy-preserving image classification, access control, and the combined use of federated learning and encrypted images. Our scheme can have the same performance as models without any encryption, and it does not require any network modification. It also allows us to easily update the secret key. In experiments, the effectiveness of the scheme is demonstrated in terms of performance degradation and access control on the CIFAR10 and CIFAR-100 datasets.
△ Less
Submitted 15 August, 2023;
originally announced August 2023.
-
Enhanced Security against Adversarial Examples Using a Random Ensemble of Encrypted Vision Transformer Models
Authors:
Ryota Iijima,
Miki Tanaka,
Sayaka Shiota,
Hitoshi Kiya
Abstract:
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferab…
▽ More
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In previous studies, it was confirmed that the vision transformer (ViT) is more robust against the property of adversarial transferability than convolutional neural network (CNN) models such as ConvMixer, and moreover encrypted ViT is more robust than ViT without any encryption. In this article, we propose a random ensemble of encrypted ViT models to achieve much more robust models. In experiments, the proposed scheme is verified to be more robust against not only black-box attacks but also white-box ones than convention methods.
△ Less
Submitted 26 July, 2023;
originally announced July 2023.
-
SHITARA: Sending Haptic Induced Touchable Alarm by Ring-shaped Air vortex
Authors:
Ryosei Kojima,
Akihisa Shitara,
Tatsuki Fushimi,
Ryogo Niwa,
Atushi Shinoda,
Ryo Iijima,
Kengo Tanaka,
Sayan Sarcar,
Yoichi Ochiai
Abstract:
Social interaction begins with the other person's attention, but it is difficult for a d/Deaf or hard-of-hearing (DHH) person to notice the initial conversation cues. Wearable or visual devices have been proposed previously. However, these devices are cumbersome to wear or must stay within the DHH person's vision. In this study, we have proposed SHITARA, a novel accessibility method with air vorte…
▽ More
Social interaction begins with the other person's attention, but it is difficult for a d/Deaf or hard-of-hearing (DHH) person to notice the initial conversation cues. Wearable or visual devices have been proposed previously. However, these devices are cumbersome to wear or must stay within the DHH person's vision. In this study, we have proposed SHITARA, a novel accessibility method with air vortex rings that provides a non-contact haptic cue for a DHH person. We have developed a proof-of-concept device and determined the air vortex ring's accuracy, noticeability and comfortability when it hits a DHH's hair. Though strength, accuracy, and noticeability of air vortex rings decrease as the distance between the air vortex ring generator and the user increases, we have demonstrated that the air vortex ring is noticeable up to 2.5 meters away. Moreover, the optimum strength is found for each distance from a DHH.
△ Less
Submitted 7 November, 2023; v1 submitted 19 January, 2023;
originally announced January 2023.
-
On the Adversarial Transferability of ConvMixer Models
Authors:
Ryota Iijima,
Miki Tanaka,
Isao Echizen,
Hitoshi Kiya
Abstract:
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In this paper, we investigate the property of adversarial transferability between models including ConvMixer, which is an isotropic n…
▽ More
Deep neural networks (DNNs) are well known to be vulnerable to adversarial examples (AEs). In addition, AEs have adversarial transferability, which means AEs generated for a source model can fool another black-box model (target model) with a non-trivial probability. In this paper, we investigate the property of adversarial transferability between models including ConvMixer, which is an isotropic network, for the first time. To objectively verify the property of transferability, the robustness of models is evaluated by using a benchmark attack method called AutoAttack. In an image classification experiment, ConvMixer is confirmed to be weak to adversarial transferability.
△ Less
Submitted 18 September, 2022;
originally announced September 2022.
-
An Access Control Method with Secret Key for Semantic Segmentation Models
Authors:
Teru Nagamori,
Ryota Iijima,
Hitoshi Kiya
Abstract:
A novel method for access control with a secret key is proposed to protect models from unauthorized access in this paper. We focus on semantic segmentation models with the vision transformer (ViT), called segmentation transformer (SETR). Most existing access control methods focus on image classification tasks, or they are limited to CNNs. By using a patch embedding structure that ViT has, trained…
▽ More
A novel method for access control with a secret key is proposed to protect models from unauthorized access in this paper. We focus on semantic segmentation models with the vision transformer (ViT), called segmentation transformer (SETR). Most existing access control methods focus on image classification tasks, or they are limited to CNNs. By using a patch embedding structure that ViT has, trained models and test images can be efficiently encrypted with a secret key, and then semantic segmentation tasks are carried out in the encrypted domain. In an experiment, the method is confirmed to provide the same accuracy as that of using plain images without any encryption to authorized users with a correct key and also to provide an extremely degraded accuracy to unauthorized users.
△ Less
Submitted 28 August, 2022;
originally announced August 2022.
-
An Encryption Method of ConvMixer Models without Performance Degradation
Authors:
Ryota Iijima,
Hitoshi Kiya
Abstract:
In this paper, we propose an encryption method for ConvMixer models with a secret key. Encryption methods for DNN models have been studied to achieve adversarial defense, model protection and privacy-preserving image classification. However, the use of conventional encryption methods degrades the performance of models compared with that of plain models. Accordingly, we propose a novel method for e…
▽ More
In this paper, we propose an encryption method for ConvMixer models with a secret key. Encryption methods for DNN models have been studied to achieve adversarial defense, model protection and privacy-preserving image classification. However, the use of conventional encryption methods degrades the performance of models compared with that of plain models. Accordingly, we propose a novel method for encrypting ConvMixer models. The method is carried out on the basis of an embedding architecture that ConvMixer has, and models encrypted with the method can have the same performance as models trained with plain images only when using test images encrypted with a secret key. In addition, the proposed method does not require any specially prepared data for model training or network modification. In an experiment, the effectiveness of the proposed method is evaluated in terms of classification accuracy and model protection in an image classification task on the CIFAR10 dataset.
△ Less
Submitted 25 July, 2022;
originally announced July 2022.
-
Image and Model Transformation with Secret Key for Vision Transformer
Authors:
Hitoshi Kiya,
Ryota Iijima,
MaungMaung Aprilpyone,
Yuma Kinoshita
Abstract:
In this paper, we propose a combined use of transformed images and vision transformer (ViT) models transformed with a secret key. We show for the first time that models trained with plain images can be directly transformed to models trained with encrypted images on the basis of the ViT architecture, and the performance of the transformed models is the same as models trained with plain images when…
▽ More
In this paper, we propose a combined use of transformed images and vision transformer (ViT) models transformed with a secret key. We show for the first time that models trained with plain images can be directly transformed to models trained with encrypted images on the basis of the ViT architecture, and the performance of the transformed models is the same as models trained with plain images when using test images encrypted with the key. In addition, the proposed scheme does not require any specially prepared data for training models or network modification, so it also allows us to easily update the secret key. In an experiment, the effectiveness of the proposed scheme is evaluated in terms of performance degradation and model protection performance in an image classification task on the CIFAR-10 dataset.
△ Less
Submitted 20 July, 2022; v1 submitted 12 July, 2022;
originally announced July 2022.
-
Protection of SVM Model with Secret Key from Unauthorized Access
Authors:
Ryota Iijima,
AprilPyone MaungMaung,
Hitoshi Kiya
Abstract:
In this paper, we propose a block-wise image transformation method with a secret key for support vector machine (SVM) models. Models trained by using transformed images offer a poor performance to unauthorized users without a key, while they can offer a high performance to authorized users with a key. The proposed method is demonstrated to be robust enough against unauthorized access even under th…
▽ More
In this paper, we propose a block-wise image transformation method with a secret key for support vector machine (SVM) models. Models trained by using transformed images offer a poor performance to unauthorized users without a key, while they can offer a high performance to authorized users with a key. The proposed method is demonstrated to be robust enough against unauthorized access even under the use of kernel functions in a facial recognition experiment.
△ Less
Submitted 17 November, 2021;
originally announced November 2021.