Random Entangled Tokens for Adversarially Robust Vision Transformer

Huihui Gong; Minjing Dong; Siqi Ma; Seyit Camtepe; Surya Nepal; Chang Xu

doi:10.1109/CVPR52733.2024.02318

Random Entangled Tokens for Adversarially Robust Vision Transformer

Huihui Gong, Minjing Dong, Siqi Ma, Seyit Camtepe, Surya Nepal, Chang Xu

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

5 Citations (Scopus)

Abstract

Vision Transformers (ViTs) have emerged as a compelling alternative to Convolutional Neural Networks (CNNs) in the realm of computer vision, showcasing tremendous potential. However, recent research has un-veiled a susceptibility of ViTs to adversarial attacks, akin to their CNN counterparts. Adversarial training and randomization are two representative effective defenses for CNNs. Some researchers have attempted to apply adversarial training to ViTs and achieved comparable robustness to CNNs, while it is not easy to directly apply randomization to ViTs because of the architecture difference between CNNs and ViTs. In this paper, we delve into the structural intricacies of ViTs and propose a novel defense mechanism termed Random entangled image Transformer (ReiT), which seamlessly integrates adversarial training and randomization to bolster the adversarial robustness of ViTs. Recognizing the challenge posed by the structural disparities between ViTs and CNNs, we introduce a novel module, input-independent random entangled self-attention (II-ReSA). This module op-timizes random entangled tokens that lead to 'dissimilar' self-attention outputs by leveraging model parameters and the sampled random tokens, thereby synthesizing the self-attention module outputs and random entangled tokens to diminish adversarial similarity. ReiT incorporates two distinct random entangled tokens and employs dual randomization, offering an effective countermeasure against adversarial examples while ensuring comprehensive deduction guarantees. Through extensive experiments conducted on various ViT variants and benchmarks, we substantiate the superiority of our proposed method in enhancing the adversarial robustness of Vision Transformers. © 2024 IEEE.

Original language	English
Title of host publication	Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition
Publisher	IEEE
Pages	24554-24563
Number of pages	10
ISBN (Electronic)	979-8-3503-5300-6
ISBN (Print)	979-8-3503-5301-3
DOIs	https://doi.org/10.1109/CVPR52733.2024.02318
Publication status	Published - 2024
Event	2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2024) - Seattle Convention Center, Seattle, United States Duration: 17 Jun 2024 → 21 Jun 2024 https://cvpr.thecvf.com/Conferences/2024 https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings https://cvpr.thecvf.com/virtual/2024/index.html

Publication series

Name	Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
Publisher	IEEE Computer Society
ISSN (Print)	1063-6919
ISSN (Electronic)	2575-7075

Conference

Conference	2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2024)
Place	United States
City	Seattle
Period	17/06/24 → 21/06/24
Internet address	https://cvpr.thecvf.com/Conferences/2024 https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings https://cvpr.thecvf.com/virtual/2024/index.html

Research Keywords

Adversarial Robustness
Randomized Defence
Self-Attention Mechanism
Vision Transformers

Access Output

10.1109/CVPR52733.2024.02318

https://openaccess.thecvf.com/content/CVPR2024/html/Gong_Random_Entangled_Tokens_for_Adversarially_Robust_Vision_Transformer_CVPR_2024_paper.html

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Gong, H., Dong, M., Ma, S., Camtepe, S., Nepal, S., & Xu, C. (2024). Random Entangled Tokens for Adversarially Robust Vision Transformer. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (pp. 24554-24563). (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition). IEEE. https://doi.org/10.1109/CVPR52733.2024.02318

@inproceedings{c4c0edf48ed347cc95f9e0dac2b66d21,

title = "Random Entangled Tokens for Adversarially Robust Vision Transformer",

abstract = "Vision Transformers (ViTs) have emerged as a compelling alternative to Convolutional Neural Networks (CNNs) in the realm of computer vision, showcasing tremendous potential. However, recent research has un-veiled a susceptibility of ViTs to adversarial attacks, akin to their CNN counterparts. Adversarial training and randomization are two representative effective defenses for CNNs. Some researchers have attempted to apply adversarial training to ViTs and achieved comparable robustness to CNNs, while it is not easy to directly apply randomization to ViTs because of the architecture difference between CNNs and ViTs. In this paper, we delve into the structural intricacies of ViTs and propose a novel defense mechanism termed Random entangled image Transformer (ReiT), which seamlessly integrates adversarial training and randomization to bolster the adversarial robustness of ViTs. Recognizing the challenge posed by the structural disparities between ViTs and CNNs, we introduce a novel module, input-independent random entangled self-attention (II-ReSA). This module op-timizes random entangled tokens that lead to 'dissimilar' self-attention outputs by leveraging model parameters and the sampled random tokens, thereby synthesizing the self-attention module outputs and random entangled tokens to diminish adversarial similarity. ReiT incorporates two distinct random entangled tokens and employs dual randomization, offering an effective countermeasure against adversarial examples while ensuring comprehensive deduction guarantees. Through extensive experiments conducted on various ViT variants and benchmarks, we substantiate the superiority of our proposed method in enhancing the adversarial robustness of Vision Transformers. {\textcopyright} 2024 IEEE.",

keywords = "Adversarial Robustness, Randomized Defence, Self-Attention Mechanism, Vision Transformers",

author = "Huihui Gong and Minjing Dong and Siqi Ma and Seyit Camtepe and Surya Nepal and Chang Xu",

year = "2024",

doi = "10.1109/CVPR52733.2024.02318",

language = "English",

isbn = "979-8-3503-5301-3",

series = "Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition",

publisher = "IEEE",

pages = "24554--24563",

booktitle = "Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition",

address = "United States",

note = "2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2024)<br/> ; Conference date: 17-06-2024 Through 21-06-2024",

url = "https://cvpr.thecvf.com/Conferences/2024, https://ieeexplore.ieee.org/xpl/conhome/1000147/all-proceedings, https://cvpr.thecvf.com/virtual/2024/index.html",

}

Gong, H, Dong, M, Ma, S, Camtepe, S, Nepal, S & Xu, C 2024, Random Entangled Tokens for Adversarially Robust Vision Transformer. in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, IEEE, pp. 24554-24563, 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2024)
, Seattle, Washington, United States, 17/06/24. https://doi.org/10.1109/CVPR52733.2024.02318

Random Entangled Tokens for Adversarially Robust Vision Transformer. / Gong, Huihui; Dong, Minjing; Ma, Siqi et al.
Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. IEEE, 2024. p. 24554-24563 (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Random Entangled Tokens for Adversarially Robust Vision Transformer

AU - Gong, Huihui

AU - Dong, Minjing

AU - Ma, Siqi

AU - Camtepe, Seyit

AU - Nepal, Surya

AU - Xu, Chang

PY - 2024

Y1 - 2024

N2 - Vision Transformers (ViTs) have emerged as a compelling alternative to Convolutional Neural Networks (CNNs) in the realm of computer vision, showcasing tremendous potential. However, recent research has un-veiled a susceptibility of ViTs to adversarial attacks, akin to their CNN counterparts. Adversarial training and randomization are two representative effective defenses for CNNs. Some researchers have attempted to apply adversarial training to ViTs and achieved comparable robustness to CNNs, while it is not easy to directly apply randomization to ViTs because of the architecture difference between CNNs and ViTs. In this paper, we delve into the structural intricacies of ViTs and propose a novel defense mechanism termed Random entangled image Transformer (ReiT), which seamlessly integrates adversarial training and randomization to bolster the adversarial robustness of ViTs. Recognizing the challenge posed by the structural disparities between ViTs and CNNs, we introduce a novel module, input-independent random entangled self-attention (II-ReSA). This module op-timizes random entangled tokens that lead to 'dissimilar' self-attention outputs by leveraging model parameters and the sampled random tokens, thereby synthesizing the self-attention module outputs and random entangled tokens to diminish adversarial similarity. ReiT incorporates two distinct random entangled tokens and employs dual randomization, offering an effective countermeasure against adversarial examples while ensuring comprehensive deduction guarantees. Through extensive experiments conducted on various ViT variants and benchmarks, we substantiate the superiority of our proposed method in enhancing the adversarial robustness of Vision Transformers. © 2024 IEEE.

AB - Vision Transformers (ViTs) have emerged as a compelling alternative to Convolutional Neural Networks (CNNs) in the realm of computer vision, showcasing tremendous potential. However, recent research has un-veiled a susceptibility of ViTs to adversarial attacks, akin to their CNN counterparts. Adversarial training and randomization are two representative effective defenses for CNNs. Some researchers have attempted to apply adversarial training to ViTs and achieved comparable robustness to CNNs, while it is not easy to directly apply randomization to ViTs because of the architecture difference between CNNs and ViTs. In this paper, we delve into the structural intricacies of ViTs and propose a novel defense mechanism termed Random entangled image Transformer (ReiT), which seamlessly integrates adversarial training and randomization to bolster the adversarial robustness of ViTs. Recognizing the challenge posed by the structural disparities between ViTs and CNNs, we introduce a novel module, input-independent random entangled self-attention (II-ReSA). This module op-timizes random entangled tokens that lead to 'dissimilar' self-attention outputs by leveraging model parameters and the sampled random tokens, thereby synthesizing the self-attention module outputs and random entangled tokens to diminish adversarial similarity. ReiT incorporates two distinct random entangled tokens and employs dual randomization, offering an effective countermeasure against adversarial examples while ensuring comprehensive deduction guarantees. Through extensive experiments conducted on various ViT variants and benchmarks, we substantiate the superiority of our proposed method in enhancing the adversarial robustness of Vision Transformers. © 2024 IEEE.

KW - Adversarial Robustness

KW - Randomized Defence

KW - Self-Attention Mechanism

KW - Vision Transformers

UR - http://www.scopus.com/inward/record.url?scp=85207677863&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85207677863&origin=recordpage

U2 - 10.1109/CVPR52733.2024.02318

DO - 10.1109/CVPR52733.2024.02318

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-3503-5301-3

T3 - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

SP - 24554

EP - 24563

BT - Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition

PB - IEEE

T2 - 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2024)<br/>

Y2 - 17 June 2024 through 21 June 2024

ER -

Gong H, Dong M, Ma S, Camtepe S, Nepal S, Xu C. Random Entangled Tokens for Adversarially Robust Vision Transformer. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. IEEE. 2024. p. 24554-24563. (Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition). Epub 2024 Sept 16. doi: 10.1109/CVPR52733.2024.02318

Random Entangled Tokens for Adversarially Robust Vision Transformer

Abstract

Publication series

Conference

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this