We introduce the Lossy Implicit Network Activation Coding (LINAC) defence, an input transformation which successfully hinders several common adversarial attacks on CIFAR-$10$ classifiers for perturbations up to $\epsilon = 8/255$ in $L_\infty$ norm and $\epsilon = 0.5$ in $L_2$ norm. Implicit neural representations are used to approximately encode pixel colour intensities in $2\text{D}$ images such that classifiers trained on transformed data appear to have robustness to small perturbations without adversarial training or large drops in performance. The seed of the random number generator used to initialise and train the implicit neural representation turns out to be necessary information for stronger generic attacks, suggesting its role as a private key. We devise a Parametric Bypass Approximation (PBA) attack strategy for key-based defences, which successfully invalidates an existing method in this category. Interestingly, our LINAC defence also hinders some transfer and adaptive attacks, including our novel PBA strategy. Our results emphasise the importance of a broad range of customised attacks despite apparent robustness according to standard evaluations. LINAC source code and parameters of defended classifier evaluated throughout this submission are available: https://github.com/deepmind/linac
翻译:我们引入了隐性网络启动代码(LINAC)防御(LINAC),这种输入转换成功地阻碍了对CIFAR-10美元分类者进行几次常见的对抗性攻击,这些攻击的发生频率最高达$efslon=8/255美元,标准值为$Linfty$=8/255美元,标准值为$Epsilon=0.5美元。隐性神经显示用于大约编码像素颜色强度的2美元图象,例如,经过关于变换数据培训的分类者似乎在没有对抗性训练或性能大幅下降的情况下对小型扰动有很强的冲击性攻击力。使用随机数字生成器的种子和对隐性神经代表的训练,成为更强烈的通用攻击的必要信息,表明其作为私人钥匙的作用。我们为基于关键的防御设计了一种分数的过量控制(PPBA)攻击战略,成功地否定了这一类别中的一种现有方法。有趣的是,我们的LINAC国防也阻碍了一些转移和适应性攻击,包括我们新的PBA/EBA战略。我们的成果强调整个常规攻击的可靠源。
相关内容
微信扫码咨询专知VIP会员