Intrinsic Biologically Plausible Adversarial Robustness
This work addresses the adversarial robustness problem for AI systems, offering a biologically inspired approach that could enhance security in applications like computer vision, though it is incremental as it builds on existing methods.
The paper tackled the vulnerability of artificial neural networks to adversarial attacks by comparing a biologically plausible learning algorithm (PEPITA) with backpropagation-trained networks on computer vision tasks, finding that PEPITA showed higher intrinsic robustness and a better trade-off between natural and adversarial performance, with adversarial accuracies decreasing by only 0.26% versus 8.05% for BP on MNIST at similar natural accuracies.
Artificial Neural Networks (ANNs) trained with Backpropagation (BP) excel in different daily tasks but have a dangerous vulnerability: inputs with small targeted perturbations, also known as adversarial samples, can drastically disrupt their performance. Adversarial training, a technique in which the training dataset is augmented with exemplary adversarial samples, is proven to mitigate this problem but comes at a high computational cost. In contrast to ANNs, humans are not susceptible to misclassifying these same adversarial samples. Thus, one can postulate that biologically-plausible trained ANNs might be more robust against adversarial attacks. In this work, we chose the biologically-plausible learning algorithm Present the Error to Perturb the Input To modulate Activity (PEPITA) as a case study and investigated this question through a comparative analysis with BP-trained ANNs on various computer vision tasks. We observe that PEPITA has a higher intrinsic adversarial robustness and, when adversarially trained, also has a more favorable natural-vs-adversarial performance trade-off. In particular, for the same natural accuracies on the MNIST task, PEPITA's adversarial accuracies decrease on average only by 0.26% while BP's decrease by 8.05%.