Deep learning models have shown incredible performance on numerous image recognition, classification, and reconstruction tasks. Although very appealing and valuable due to their predictive capabilities, one common threat remains challenging to resolve. A specifically trained attacker can introduce malicious input perturbations to fool the network, thus causing potentially harmful mispredictions. Moreover, these attacks can succeed when the adversary has full access to the target model (white-box) and even when such access is limited (black-box setting). The ensemble of models can protect against such attacks but might be brittle under shared vulnerabilities in its members (attack transferability). To that end, this work proposes a novel diversity-promoting learning approach for the deep ensembles. The idea is to promote saliency map diversity (SMD) on ensemble members to prevent the attacker from targeting all ensemble members at once by introducing an additional term in our learning objective. During training, this helps us minimize the alignment between model saliencies to reduce shared member vulnerabilities and, thus, increase ensemble robustness to adversaries. We empirically show a reduced transferability between ensemble members and improved performance compared to the state-of-the-art ensemble defense against medium and high strength white-box attacks. In addition, we demonstrate that our approach combined with existing methods outperforms state-of-the-art ensemble algorithms for defense under white-box and black-box attacks.
翻译:深层次的学习模式在众多图像识别、分类和重建任务方面表现出了令人难以置信的绩效。尽管模型组合由于其预测能力而非常吸引人而且非常宝贵,但有一个共同的威胁仍然是难以解决的。一个经过专门训练的攻击者可以引入恶意输入干扰来愚弄网络,从而造成潜在的有害错误。此外,当对手能够充分利用目标模型(白箱),甚至这种访问有限(黑箱设置)时,这些攻击也可以成功。 模型组合可以防止这种攻击,但可能在其成员共同的脆弱性(攻击可转移性)之下变得非常脆弱。为此,这项工作提出了一个新的促进多样性的学习方法。为了达到这一目的,我们提出了一种新颖的、促进多样性的学习方法。这个想法是要促进共同分子的突出地图多样性,以便防止攻击者一旦能够完全接触目标(白箱),甚至当这种访问受到限制时(黑箱设置),这样可以帮助我们最大限度地减少模型特征之间的一致性,以减少共同成员的脆弱性,从而增加组合对对手的坚固性。我们从经验上看,在白箱袭击中减少了对高层次的防御方法的转移性,并改进了我们现有手段。