Deep Neural Networks (DNNs) are vulnerable to adversarial attacks. Existing methods are devoted to developing various robust training strategies or regularizations to update the weights of the neural network. But beyond the weights, the overall structure and information flow in the network are explicitly determined by the neural architecture, which remains unexplored. This paper thus aims to improve the adversarial robustness of the network from the architecture perspective. We explore the relationship among adversarial robustness, Lipschitz constant, and architecture parameters and show that an appropriate constraint on architecture parameters could reduce the Lipschitz constant to further improve the robustness. The importance of architecture parameters could vary from operation to operation or connection to connection. We approximate the Lipschitz constant of the entire network through a univariate log-normal distribution, whose mean and variance are related to architecture parameters. The confidence can be fulfilled through formulating a constraint on the distribution parameters based on the cumulative function. Compared with adversarially trained neural architectures searched by various NAS algorithms as well as efficient human-designed models, our algorithm empirically achieves the best performance among all the models under various attacks on different datasets.
翻译:深神经网络(DNN) 很容易受到对抗性攻击。 现有的方法是致力于制定各种强健的培训战略或规范化, 以更新神经网络的重量。 但是,除了权重之外, 网络的整体结构和信息流动由神经结构明确确定, 神经结构仍未开发。 因此, 本文的目的是从结构的角度改善网络的对抗性强力。 我们探索了对抗性强力、 Lipschitz 常数和建筑参数之间的关系, 并表明对建筑参数的适当限制可以降低Lipschitz 常数, 以进一步提高坚固度。 建筑参数的重要性可能从操作到操作或连接的不同。 我们通过单向正态逻辑分布来接近整个网络的Lipschitz常数, 其平均值和差异与结构参数有关。 信任可以通过根据累积功能对分配参数设置限制来实现。 与各种NAS 算法搜索的经过对抗性培训的神经结构以及高效的人为设计模型相比, 我们的算法在各种攻击下, 不同数据设置的所有模型中取得了最佳的成绩。