A Linearly Convergent GAN Inversion-based Algorithm for Reverse Engineering of Deceptions
This work addresses the need for theoretical guarantees in reverse engineering adversarial attacks, which is crucial for developing robust deep learning systems, though it builds incrementally on prior work.
The paper tackles the problem of reverse engineering adversarial attacks on deep learning systems by proposing a framework that assumes clean data lies in the range of a GAN, solving GAN inversion and block-sparse recovery problems. It provides deterministic linear convergence guarantees for the first time and demonstrates empirical improvements on nonlinear datasets compared to state-of-the-art methods.
An important aspect of developing reliable deep learning systems is devising strategies that make these systems robust to adversarial attacks. There is a long line of work that focuses on developing defenses against these attacks, but recently, researchers have began to study ways to reverse engineer the attack process. This allows us to not only defend against several attack models, but also classify the threat model. However, there is still a lack of theoretical guarantees for the reverse engineering process. Current approaches that give any guarantees are based on the assumption that the data lies in a union of linear subspaces, which is not a valid assumption for more complex datasets. In this paper, we build on prior work and propose a novel framework for reverse engineering of deceptions which supposes that the clean data lies in the range of a GAN. To classify the signal and attack, we jointly solve a GAN inversion problem and a block-sparse recovery problem. For the first time in the literature, we provide deterministic linear convergence guarantees for this problem. We also empirically demonstrate the merits of the proposed approach on several nonlinear datasets as compared to state-of-the-art methods.