While deep neural networks show unprecedented performance in various tasks, the vulnerability to adversarial examples hinders their deployment in safety-critical systems. Many studies have shown that attacks are also possible even in a black-box setting where an adversary cannot access the target model's internal information. Most black-box attacks are based on queries, each of which obtains the target model's output for an input, and many recent studies focus on reducing the number of required queries. In this paper, we pay attention to an implicit assumption of query-based black-box adversarial attacks that the target model's output exactly corresponds to the query input. If some randomness is introduced into the model, it can break the assumption, and thus, query-based attacks may have tremendous difficulty in both gradient estimation and local search, which are the core of their attack process. From this motivation, we observe even a small additive input noise can neutralize most query-based attacks and name this simple yet effective approach Small Noise Defense (SND). We analyze how SND can defend against query-based black-box attacks and demonstrate its effectiveness against eight state-of-the-art attacks with CIFAR-10 and ImageNet datasets. Even with strong defense ability, SND almost maintains the original classification accuracy and computational speed. SND is readily applicable to pre-trained models by adding only one line of code at the inference.
翻译:虽然深神经网络显示各种任务的空前表现,但容易受到对抗性攻击的例子会阻碍其在安全临界系统中的部署。许多研究显示,即使在对手无法访问目标模型内部信息的黑盒子环境中,攻击也是可能的。 大多数黑盒子攻击都是基于询问,每个黑盒子攻击都获得输入的目标模型输出,而且最近许多研究的重点是减少所需查询的数量。 在本文件中,我们关注基于询问的黑盒子对抗性攻击的隐含假设,即目标模型的产出与查询输入完全吻合。如果在模型中引入某种随机性,它可以打破假设,因此基于查询的攻击在梯度估计和地方搜索(这是其攻击过程的核心)方面都可能存在极大的困难。我们从这一动机中看到,即使是一个小的添加性输入噪音也能抑制大多数以查询为基础的攻击,并说出这个简单而有效的方法“小型噪音防御 ” 。 我们分析SND如何抵御基于查询的黑箱攻击,并展示其针对八种状态攻击的有效性。如果在模型中引入某些随机性攻击,那么以查询为基础的假设,那么基于查询性攻击在梯-10和可应用的图像网络数据转换前的精确度上,甚至以一个原始的精确度来将SND数据转换为最精确的模型,甚至以一个原始的原始的精确进行。
相关内容
微信扫码咨询专知VIP会员