Unifying Gradients to Improve Real-world Robustness for Deep Networks

The wide application of deep neural networks (DNNs) demands an increasing amount of attention to their real-world robustness, i.e., whether a DNN resists black-box adversarial attacks, among which score-based query attacks (SQAs) are most threatening since they can effectively hurt a victim network with the only access to model outputs. Defending against SQAs requires a slight but artful variation of outputs due to the service purpose for users, who share the same output information with SQAs. In this paper, we propose a real-world defense by Unifying Gradients (UniG) of different data so that SQAs could only probe a much weaker attack direction that is similar for different samples. Since such universal attack perturbations have been validated as less aggressive than the input-specific perturbations, UniG protects real-world DNNs by indicating attackers a twisted and less informative attack direction. We implement UniG efficiently by a Hadamard product module which is plug-and-play. According to extensive experiments on 5 SQAs, 2 adaptive attacks and 7 defense baselines, UniG significantly improves real-world robustness without hurting clean accuracy on CIFAR10 and ImageNet. For instance, UniG maintains a model of 77.80% accuracy under 2500-query Square attack while the state-of-the-art adversarially-trained model only has 67.34% on CIFAR10. Simultaneously, UniG outperforms all compared baselines in terms of clean accuracy and achieves the smallest modification of the model output. The code is released at https://github.com/snowien/UniG-pytorch

Study of R161 Refrigerant for Residential Air-conditioning Applications

In order to investigate the feasibility of R161 applied in residential air conditioner, the thermodynamic performance and comprehensive theoretical thermodynamic cycle of R161, R22 and R290 under various air-conditioner operating condition were carried out. Further more, the cooling and heating performance of R161 and R22 under various operating condition was investigated experimentally in a 3.5kW residential heat pump air conditioner. Property and thermodynamic cycle comparison showed that R161 has better thermodynamic performance than R290, the rated cooling and heating capacity is lower than R22 but higher than R290, the rated cooling and heating COP is higher than both R22 and R290. The experimental rated cooling capacity reduced 7.6% and rated cooling EER increased 6.1%, rated heating capacity reduced 6.8% and rated heating COP increased 4.7%, refrigerant optimized charge reduced 43% compared to R22 system, theoretical and experimental test revealed that R161 has lower discharge temperature than R22 system

Experimental Investigation on R245fa Throttling Devices under High Temperature

The experiments on mass flow rate characteristics of R245fa refrigerant flowing through throttling devices including seven capillary tubes and the electronic expansion valve were carried out under the high-temperature working conditions. By combining data analysis with flow correlations, the design basis that is applicable to R245fa throttling devices can be obtained. By comparing the experimental mass flow rate with that predicted by Jung Correlation and Kim Correlation, it can be concluded that root mean square deviations of two correlations are 3.2 % and 3.3%, respectively. The root mean square deviation for electronic expansion valve is 4.5%. The conclusions offer high-accuracy design basis for throttling devices selection of high-temperature heat pump systems using R245fa as refrigerant

Online Continual Learning via Logit Adjusted Softmax

Online continual learning is a challenging problem where models must learn from a non-stationary data stream while avoiding catastrophic forgetting. Inter-class imbalance during training has been identified as a major cause of forgetting, leading to model prediction bias towards recently learned classes. In this paper, we theoretically analyze that inter-class imbalance is entirely attributed to imbalanced class-priors, and the function learned from intra-class intrinsic distributions is the Bayes-optimal classifier. To that end, we present that a simple adjustment of model logits during training can effectively resist prior class bias and pursue the corresponding Bayes-optimum. Our proposed method, Logit Adjusted Softmax, can mitigate the impact of inter-class imbalance not only in class-incremental but also in realistic general setups, with little additional computational cost. We evaluate our approach on various benchmarks and demonstrate significant performance improvements compared to prior arts. For example, our approach improves the best baseline by 4.6% on CIFAR10

Low-Dimensional Gradient Helps Out-of-Distribution Detection

Detecting out-of-distribution (OOD) samples is essential for ensuring the reliability of deep neural networks (DNNs) in real-world scenarios. While previous research has predominantly investigated the disparity between in-distribution (ID) and OOD data through forward information analysis, the discrepancy in parameter gradients during the backward process of DNNs has received insufficient attention. Existing studies on gradient disparities mainly focus on the utilization of gradient norms, neglecting the wealth of information embedded in gradient directions. To bridge this gap, in this paper, we conduct a comprehensive investigation into leveraging the entirety of gradient information for OOD detection. The primary challenge arises from the high dimensionality of gradients due to the large number of network parameters. To solve this problem, we propose performing linear dimension reduction on the gradient using a designated subspace that comprises principal components. This innovative technique enables us to obtain a low-dimensional representation of the gradient with minimal information loss. Subsequently, by integrating the reduced gradient with various existing detection score functions, our approach demonstrates superior performance across a wide range of detection tasks. For instance, on the ImageNet benchmark, our method achieves an average reduction of 11.15% in the false positive rate at 95% recall (FPR95) compared to the current state-of-the-art approach. The code would be released

On Multi-head Ensemble of Smoothed Classifiers for Certified Robustness

Randomized Smoothing (RS) is a promising technique for certified robustness, and recently in RS the ensemble of multiple deep neural networks (DNNs) has shown state-of-the-art performances. However, such an ensemble brings heavy computation burdens in both training and certification, and yet under-exploits individual DNNs and their mutual effects, as the communication between these classifiers is commonly ignored in optimization. In this work, starting from a single DNN, we augment the network with multiple heads, each of which pertains a classifier for the ensemble. A novel training strategy, namely Self-PAced Circular-TEaching (SPACTE), is proposed accordingly. SPACTE enables a circular communication flow among those augmented heads, i.e., each head teaches its neighbor with the self-paced learning using smoothed losses, which are specifically designed in relation to certified robustness. The deployed multi-head structure and the circular-teaching scheme of SPACTE jointly contribute to diversify and enhance the classifiers in augmented heads for ensemble, leading to even stronger certified robustness than ensembling multiple DNNs (effectiveness) at the cost of much less computational expenses (efficiency), verified by extensive experiments and discussions

Efficient Generalization Improvement Guided by Random Weight Perturbation

To fully uncover the great potential of deep neural networks (DNNs), various learning algorithms have been developed to improve the model's generalization ability. Recently, sharpness-aware minimization (SAM) establishes a generic scheme for generalization improvements by minimizing the sharpness measure within a small neighborhood and achieves state-of-the-art performance. However, SAM requires two consecutive gradient evaluations for solving the min-max problem and inevitably doubles the training time. In this paper, we resort to filter-wise random weight perturbations (RWP) to decouple the nested gradients in SAM. Different from the small adversarial perturbations in SAM, RWP is softer and allows a much larger magnitude of perturbations. Specifically, we jointly optimize the loss function with random perturbations and the original loss function: the former guides the network towards a wider flat region while the latter helps recover the necessary local information. These two loss terms are complementary to each other and mutually independent. Hence, the corresponding gradients can be efficiently computed in parallel, enabling nearly the same training speed as regular training. As a result, we achieve very competitive performance on CIFAR and remarkably better performance on ImageNet (e.g. $\mathbf{ +1.1\%}$) compared with SAM, but always require half of the training time. The code is released at https://github.com/nblt/RWP

Revisiting Random Weight Perturbation for Efficiently Improving Generalization

Improving the generalization ability of modern deep neural networks (DNNs) is a fundamental challenge in machine learning. Two branches of methods have been proposed to seek flat minima and improve generalization: one led by sharpness-aware minimization (SAM) minimizes the worst-case neighborhood loss through adversarial weight perturbation (AWP), and the other minimizes the expected Bayes objective with random weight perturbation (RWP). While RWP offers advantages in computation and is closely linked to AWP on a mathematical basis, its empirical performance has consistently lagged behind that of AWP. In this paper, we revisit the use of RWP for improving generalization and propose improvements from two perspectives: i) the trade-off between generalization and convergence and ii) the random perturbation generation. Through extensive experimental evaluations, we demonstrate that our enhanced RWP methods achieve greater efficiency in enhancing generalization, particularly in large-scale problems, while also offering comparable or even superior performance to SAM. The code is released at https://github.com/nblt/mARWP.Comment: Accepted to TMLR 202

Security boundaries of an optical power limiter for protecting quantum key distribution systems

Unauthorized light injection has always been a vital threat to the practical security of a quantum key distribution (QKD) system. An optical power limiter (OPL) based on the thermo-optical defocusing effect has been proposed and implemented, limiting the injected hacking light. As a hardware countermeasure, the performance of the OPL under various light-injection attacks shall be tested to clarify the security boundary before being widely deployed. To investigate the OPL's security boundary in quantum cryptography, we comprehensively test and analyse the behavior of OPL under continuous-wave (c.w.) light-injection attacks and pulse illumination attacks with pulses' repetition rate at 0.5-Hz,40-MHz, and 1-GHz. The testing results illuminate the security boundary of the OPL, which allows one to properly employ the OPL in the use cases. The methodology of testing and analysis proposed here is applicable to other power-limitation components in a QKD system.Comment: 14 pages, 13 figure