Adversarial example attack endangers the mobile edge systems such as vehicles and drones that adopt deep neural networks for visual sensing. This paper presents {\em Sardino}, an active and dynamic defense approach that renews the inference ensemble at run time to develop security against the adaptive adversary who tries to exfiltrate the ensemble and construct the corresponding effective adversarial examples. By applying consistency check and data fusion on the ensemble's predictions, Sardino can detect and thwart adversarial inputs. Compared with the training-based ensemble renewal, we use HyperNet to achieve {\em one million times} acceleration and per-frame ensemble renewal that presents the highest level of difficulty to the prerequisite exfiltration attacks. We design a run-time planner that maximizes the ensemble size in favor of security while maintaining the processing frame rate. Beyond adversarial examples, Sardino can also address the issue of out-of-distribution inputs effectively. This paper presents extensive evaluation of Sardino's performance in counteracting adversarial examples and applies it to build a real-time car-borne traffic sign recognition system. Live on-road tests show the built system's effectiveness in maintaining frame rate and detecting out-of-distribution inputs due to the false positives of a preceding YOLO-based traffic sign detector.
翻译:Adversarial 实例攻击危及移动边缘系统,例如采用深神经网络进行视觉感测的车辆和无人机等。本文展示了积极和动态的防御方法,即动态和动态的防御方法,即更新运行时的推论组合,以发展安全,对抗试图排泄组合体的适应性对手,并构建相应的有效对抗性实例。通过在共构体预测中进行一致性检查和数据整合,萨尔地诺可以检测和阻断对称输入。与基于培训的连带更新相比,我们使用超音网络实现超音速和每个框架的连带更新,以达到百万倍的速度加速和超音速更新,给先决条件的渗透性攻击带来最大程度的难度。我们设计了一个运行时间规划器,在保持处理框架率的同时最大限度地提高共构体规模。除对抗性检查外,萨尔地诺还可以有效处理基于分配的投入问题。本文对Sardino在对抗性范例更新时的表现进行了广泛的评价,用超音网实现 百万次 加速和超频连环更新,这给先决条件的渗透性联合更新带来最大难度。我们最难测测测测距攻击性攻击性攻击攻击攻击攻击攻击攻击。 我们设计了实时路标测试系统,以显示正确测路标路标路标路标测试测试系统,以显示正路标路标路标测试系统。