Cross-modal Adversarial Reprogramming

Neural networks have been shown to be vulnerable to adversarial examples [5, 26, 25, 20, 35, 33, 22, 10, 11, 9] which are slightly perturbed inputs that cause victim models to make a mistake. Adversarial Reprogramming was introduced by [4] as a new form of adversarial threat that allows an adversary to repurpose neural networks to perform new tasks, which are different from the tasks they were originally trained for. The proposed technique trains a single adversarial perturbation that can be added to all inputs in order to re-purpose the target model for an attacker’s chosen task. The adversary achieves this by first defining a hard-coded one-to-one label remapping function that maps the output labels of the adversarial task to the label space of the classifier; and learning a corresponding adversarial reprogramming function that transforms an input from the input space of the new task to the input space of the classifier. The authors demonstrated the feasibility of their attack algorithm by reprogramming ImageNet classification models for classifying MNIST and CIFAR-10 data in a white-box setting, where the attacker has access to the victim model parameters.

While the above attack does not require any changes to the victim model parameters or architecture, the adversarial program proposed [4] is only applicable to tasks where the input space of the the original and adversarial task is continuous. To understand the feasibility of attack in a discrete data domain, [21] proposed methods to repurpose text classification neural networks for alternate tasks, which operate on sequences from a discrete input space. The attack algorithm used a context-based vocabulary remapping method that performs a computationally inexpensive input transformation to reprogram a victim classification model for a new set of sequences. This work was also the first in designing algorithms for training such an input transformation function in both white-box and black-box settings—where the adversary may or may not have access to the victim model’s architecture and parameters. They demonstrated the success of their proposed reprogramming functions by adversarially re-purposing various text-classification models including Long Short Term Memory networks (LSTM) [8], bi-directional LSTMs [6] and CNNs [36] for alternate text classification tasks.

Recent works [14, 32] have argued that reprogramming techniques can be viewed as an efficient training method and can be a superior alternative to transfer learning. Particularly [32] argue that one of the major limitations of current transfer learning techniques is the requirement of large amounts of target domain data, which is needed to fine-tune pre-trained neural networks. They demonstrated the advantage of instead using reprogramming techniques to repurpose existing ML models for alternate tasks, which can be done even when training data is scarce. The authors designed a black-box adversarial reprogramming method, that can be trained iteratively from input-output model responses, and demonstrated its success in repurposing ImageNet models for medical imaging tasks such as classification of autism spectrum disorders, melanoma detection, etc.

All of these existing reprogramming techniques are only able to reprogram ML models when the data domain of the target adversarial task and the original task are the same. We address this limitation in our work by designing adversarial input transformation functions that allow image classification models to be reprogrammed for sequence classification tasks such as natural language and protein sequence classification.

While Convolutional Neural Networks (CNNs) have long achieved state-of-the-art performance on vision benchmarks, the recently proposed Vision Transformers (ViTs) [2] have been shown to outperform CNNs on several image classification tasks. Transformers [34] are known for achieving state-of-the-art performance in natural language processing (NLP). In order to train transformers for image classification tasks, the authors [2] divided an image into patches and provide the sequence of linear embeddings of these patches as an input to a transformer. Image patches are treated the same way as tokens (words) in an NLP application and the model is trained on image classification in a supervised manner. The authors report that when ViTs are trained on large-scale image datasets, they are competitive and also outperform state-of-the-art models on multiple image recognition benchmarks.

Since transformers can model both language and vision data in a similar manner, that is, as a sequence of embeddings, we are curious to investigate whether a vision transformer can be reprogrammed for a text classification task. In the process, we find that CNN network architectures can also be reprogrammed to achieve competitive performance on discrete sequence classification tasks. In the next section, we discuss our cross-modal adversarial reprogramming approach.

Consider a victim image classifier $C$ trained for mapping images $x\in X$ to a label $\mathit{l_{X}}\in\mathit{L_{X}}$. That is,

An adversary wishes to repurpose this victim image classifier for an alternate text classification task $C^{\prime}$ of mapping sequences $t\in T$ to a label $\mathit{l_{T}}\in\mathit{L_{T}}$. That is,

To achieve this goal, the adversary needs to learn appropriate mapping functions between the input and output spaces of the original and the new task. We solve this by first defining a label remapping $\mathit{f_{L}}$ that maps label spaces of the two tasks: $\mathit{f_{L}}:\mathit{l_{X}}\mapsto\mathit{l_{T}}$ ; and then learning a corresponding adversarial program $\mathit{f_{\theta}}$ that maps a sequence $t\in T$ to an image $x\in X$ i.e., $\mathit{f_{\theta}}:t\mapsto x$ such that $\mathit{f_{L}}(C(f_{\theta}(t)))$ acts as the target classifier $C^{\prime}$.

We assume a white-box adversarial reprogramming setting where the adversary has complete knowledge about architecture and model parameters of the victim image classifier. In the next few sections we describe the adversarial program $f_{\theta}$, the label remapping function and the training procedure to learn the adversarial program.

The goal of our adversarial program is to map a sequence of discrete tokens $t\in T$ to an image $x\in X$. Without loss of generalizability, we assume $X=[-1,1]^{\mathit{h\times w\times c}}$ to be the scaled input space of the image classifier $C$ where $\mathit{h,w}$ are the height and width of the input image and $c$ is the number of channels. The tokens in the sequence $t$ belong to some vocabulary list $V_{T}$. We can represent the sequence $t$ as $t=t_{1},t_{2},\ldots,t_{N}$ where $t_{i}$ is the vocabulary index of the $i_{\mathit{th}}$ token in sequence $t$ in the vocabulary list $V_{T}$.

When designing the adversarial program it is important to consider the computational cost of the reprogramming function $\mathit{f_{\theta}}$. This is because if a classification model that performs equally well can be trained from scratch for the classification task $C^{\prime}$ and is computationally cheaper than the reprogramming function, it would defeat the purpose of adversarial reprogramming.

Keeping the above in mind, we design a reprogramming function that looks up embeddings of the tokens $t_{i}$ and arranges them as contiguous patches of size $p\times p$ in an image that is fed as input to the classifier $C$. Mathematically, the reprogramming function $\mathit{f_{\theta}}$ is parameterized by a learnable embedding tensor $\theta_{|V_{T}|\times|p|\times|p|\times|c|}$ and performs the transformation $\mathit{f_{\theta}}:t\mapsto x$ as per Algorithm 1.

The patch size $p$ and image dimensions $h,w$ determine the maximum length of the sequence $t$ that can be encoded into the image. We pad all the input sequences $t$ all the way up to the maximum allowed sequence length with a padding token to fill up the reprogrammed image and clip any sequences longer than the maximum allowed length from the end. More details about the hyper-parameters can be found in our experiments section.

Concealing the adversarial perturbation: Most past works on adversarial reprogramming have considered an unconstrained attack setting, where the reprogrammed image does not necessarily need to resemble a real-world image. However, as noted by [4], it is possible to conceal the reprogrammed image in a real-world image by constraining the output of the reprogramming function. We can conceal the reprogrammed image as an additive perturbation to some real-world base image $x_{c}$ by defining an alternate reprogramming function $f^{\prime}_{\theta}$ as follows:

Since the output of the original reprogramming function ${f_{\theta}}$ is bounded between $[-1,1]$, we can control the $L_{\infty}$ norm of the added perturbation using the parameter $\epsilon\in[0,1]$.

Computational Complexity: As depicted in Figure 1, during inference, the adversarial program only looks up embeddings of the tokens in the sequence $t$ and arranges them in an image tensor which can optionally be added onto a base image. Asymptotically, the time complexity of this adversarial program is linear in terms of the length of the sequence $t$. Since there are no matrix-vector multiplications involved in the adversarial program, it is computationally equivalent to just the embedding layer of a sequence-based neural classifier. Therefore the inference cost of the adversarial program is significantly less than that of a sequence-based neural classifier. Table 1 in our supplementary material compares the wall-clock inference time for a sequence of length $500$ for our adversarial program and various sequence-based neural classifiers used in our experiments.

Past works [4, 21, 32] on adversarial reprogramming assume that the number of labels in the target task are less than than the number of labels in the original task. In our work, we relax this constraint and propose label remapping functions for both of the following scenarios:

1. Target task has fewer labels than the original task: Initial works on adversarial reprogramming defined a one-to-one mapping between the labels of the original and new task [4, 21]. However, recent work [32] found that mapping multiple source labels to one target label helps improve the performance over one-to-one mapping. Our preliminary experiments on cross-modal reprogramming confirm this finding, however, we differ in the way the final score of a target label $l_{t}$ is aggregated—[32] obtained the final score for a target label as the mean of the scores of the mapped original labels. We found that aggregating the score by taking the maximum rather than the mean over the mapped original labels leads to faster training. Another advantage of using max reduction is that during inference, we can directly map the original predicted label to our target label without requiring access to probability scores of any other label.

Consider a target task label $l_{t}$, mapped to a subset of labels $L_{S_{t}}\subset L_{S}$ of the original task under the many-to-one label remapping function $f_{L}$. We obtain the score for this target task label as the maximum of the scores of each label $l_{i}\in L_{S_{t}}$ by classifier $C$. That is,

where $Z_{k}(x)$ and $Z^{\prime}_{k}(t)$ represent the score (before softmax) assigned to some label $k$ by classifier $C$ and $C^{\prime}$ respectively.

To define the label remapping $f_{L}$, instead of randomly assigning $m$ source labels to a target label, we first obtain the model predictions on the base image $x_{c}$ (or a zero image in the case of an unbounded attack) and sort the labels by the obtained scores; We then assign the the highest scored source labels to each target label using a round-robin strategy until we have assigned $m$ source labels to each target label.

Note that while we need access to individual class scores during training (where we assume a white-box attack setting), during inference we can simply map the highest predicted label to the target label using the label remapping function $f_{L}$ without having to know the actual scores assigned to different labels.

2. Original task has fewer labels than the target task: In this scenario, we map the probability distribution over the original labels to a distribution over target labels to class scores for the target label space using a learnable linear transformation. That is,

Here $Z^{\prime}(t)$ is a vector representing class scores (logits) for the target label space. $\theta^{\prime}_{|L_{T}|\times|L_{X}|}$ are the learnable parameters of the linear transformation that are optimized along with the parameters of the reprogramming function $f_{\theta}$. Note that unlike the previous scenario, in this setting, we assume that we have access to the probability scores of the original labels during both training and inference.

Optimization Objective: To train the parameters $\theta$ of our adversarial program, we use a cross-entropy loss between the target label and the model score predictions obtained as per Equation 2 or Equation 3. We also incorporate an $L_{2}$ regularization loss for better generalization on the test set and to encourage more imperceptible perturbation in the case of our bounded attack. Therefore our final optimization objective is the following:

Here $\lambda$ is the regularization hyper-parameter and $P_{l_{t}}$ is the predicted class probability of the correct label $l_{t}$ for sequence $t$. We use mini-batch gradient descent using an Adam optimizer [13] to solve the above optimization problem on the dataset of the target task.

To demonstrate cross-modal adversarial reprogramming, we perform experiments on four neural architectures trained on the ImageNet dataset. We choose both CNNs and the recently proposed Vision Transformers (ViT) [2] as our victim image classifiers. While CNNs have long achieved state-of-the-art performance on computer-vision benchmarks, the recently proposed ViTs have been shown to outperform CNNs on several image classification tasks. We choose the ViT-Base [2], ResNet-50 [7], InceptionNet-V3 [30] and EfficientNet-B7 [31] architectures. The details of these architectures are listed in Table 1. We perform experiments on both pre-trained and randomly initialized networks.

In this work, we repurpose the aforementioned image classifiers for several discrete sequence classification tasks. We wish to analyze the performance of cross-modal adversarial reprogramming for different applications such as understanding language and analyzing sequential biomedical data. Biomedical datasets e.g. splice-junction detection in genes, often have fewer training samples than language based datasets and we aim to understand whether such limitations can adversely affect our proposed reprogramming technique.

Sentiment analysis and topic classification are popular NLP tasks. However, analyzing the underlying semantics of the sequence is often not necessary for solving these tasks since word-frequency based statistics can serve as strong discriminatory features. In contrast, tasks like DNA-sequence classification requires analyzing the sequential semantics of the input and simple frequency analysis of the unigrams or n-grams does not achieve competitive performance on these tasks. To evaluate the effectiveness of adversarial reprogramming in both of these scenarios, we consider the following tasks and datasets in our experiments:

Input image size and patch size: The ViT-Base model utilized in our work is trained on images of size $384\times 384$ and works on image patches of size $16\times 16$. For all our experiments, we fix the input image size to be $384\times 384$. When we use a patch of size $16\times 16$ for encoding a single token in our sequence, it allows for a maximum of $576$ tokens to be encoded into a single image. In our initial experiments we found that using larger patch sizes for smaller sequences leads to higher performance on the target task, since it encodes a sequence in a spatially larger area of the image. Therefore, we choose our patch size as the largest possible multiple of $16$ that can encode the longest sequence in our target task dataset. We list the patch size $p$ used for different tasks in Table 3.

Training hyper-parameters: We train each adversarial program on a single Titan 1080i GPU using a batch size of $4$. We set the learning rate as $0.001$ for the unbounded attacks and $0.001\times\epsilon^{-1}$ for our bounded attacks (Equation 1). We set the $L_{2}$ regularization hyper-parameter $\lambda=1e-4$ for all our experiments and train the adversarial program for a maximum 100k mini-batch iterations in the unbouned attack setting and for 200k mini-batch iterations in the bounded attack setting. We map 10 original labels to each target label in the scenario when there are fewer labels for the target task than for the original task. We point the readers to our codebase for precise implementation.¹¹1https://github.com/paarthneekhara/multimodal_rerprogramming

Experimental results of our proposed cross-modal reprogramming method are reported in Table 3. In these experiments, the original task has more labels than the target task so we use the label remapping function given by Equation 2. We first consider the unbounded attack setting, where the output of the adversarial program does not need to be concealed in a real-world image. For these experiments, we use the reprogramming function $f_{\theta}$ described in Algorithm 1. We also note that the primary evaluation of past reprogramming works [4, 21, 32] is done in an unbounded attack setting.

When attacking pre-trained image classifiers, we achieve competitive performance (as compared to benchmark classifiers trained from scratch, reported in Table 2) across several tasks for all victim image classification models. To assess the importance of pre-training the victim model on the original dataset, we also experiment with reprogramming untrained randomly initialized networks.

Randomly initialized neural networks can potentially have rich structure which the reprogramming functions can exploit. Prior works [19, 17] have shown that wide neural networks can behave as Gaussian processes, where training specific weights in the intermediate layers is not necessary to perform many different tasks. However, in our experiments, we find that for CNN-based image classifiers, reprogramming pre-trained neural networks performs significantly better than reprogramming randomly initialized networks for all tasks. This is consistent with the findings of prior reprogramming work [4] which reports that adversarial reprogramming in the image domain is more effective when it targets pre-trained CNNs. For the ViT model, we find that we are able to obtain competitive performance on sentiment and topic classification tasks when reprogramming either randomly initialized or pre-trained models. Particularly, we find that reprogramming untrained vision transformers provides the highest accuracy on the IMDB classification task. However, for DNA sequence classification tasks (Splice and H3) that require structural analysis of the sequence rather than token-frequency statistics, we find that reprogramming pre-trained vision transformer model performs significantly better than a randomly initialized transformer model.

The ViT model outperforms other architectures on 5 out of 6 tasks in the unbounded attack setting. In particular, for the task of splice-junction detection in gene sequences, reprogramming a pre-trained ViT model outperforms both TF-IDF and neural classifiers trained from scratch. For sentiment analysis and topic classification tasks, which primarily require keyword detection, some reprogramming methods achieve competitive performance as the benchmark methods reported in Table 2.

Additionally, to assess the importance of the victim classifier for solving the target task, we study the extent to which the task can be solved without the victim classifier and using only the adversarial reprogramming function with a linear classification head. We present the results and details of this experiment in Table 3 of our supplementary material.

Concealing the adversarial perturbation: To conceal the output of the adversarial program in a real-world image, we follow the adversarial reprogramming function defined in Equation 1. We randomly select an image from the ImageNet dataset (shown in Figure 2) as the base image $x_{c}$ and train adversarial programs targeting different image classifiers for the same base image. We present the results at $L_{\infty}=0.1$ (on a 0 to 1 pixel value scale) distortion between the reprogrammed image and the base image $x_{c}$ on the right side of Table 3. It can be seen that for some drop in performance, it is possible to perform adversarial reprogramming such that the input sequence is concealed in a real-world image. Figure 1 in our supplementary material shows the accuracy on three target tasks for different magnitudes of allowed perturbation, while reprogramming a pre-trained ViT model.

In a practical attack scenario, the adversary may only have access to a victim image classifier with fewer labels than the target task labels. To evaluate adversarial reprogramming in this scenario, we constrain the adversary’s access to the class-probability scores of just $q$ labels of the ImageNet classifier. We choose the most frequent $q$ ImageNet labels as the original labels, that can be accessed by the adversary; and perform our experiments on two tasks from our datasets, which have the highest number of labels—AG News (4 labels) and DBPedia (14 labels). We use the label remapping function given by Equation 3, and learn a linear transformation to map the predicted probability distribution over the $q$ original labels to the target task label scores.

We demonstrate that we are able to perform adversarial reprogramming even in this more constrained setting. We achieve similar performance as compared to our many-to-one label remapping scenario reported in Table 3 when $q$ is close to the number of labels in the target task. This is because we learn an additional mapping function for the output interface, which can potentially lead to better optimization. However as a downside, this setting requires access to all $q$ class probability scores for predicting the adversarial label, while in the previous many-to-one label remapping scenario, we only need to know the highest-scored original label for mapping it to one of the adversarial labels.