Deep neural networks have been shown to suffer from critical vulnerabilities
under adversarial attacks. This phenomenon stimulated the creation of different
attack and defense strategies similar to those adopted in cyberspace security.
The dependence of such strategies on attack and defense mechanisms makes the
associated algorithms on both sides appear as closely reciprocating processes.
The defense strategies are particularly passive in these processes, and
enhancing initiative of such strategies can be an effective way to get out of
this arms race. Inspired by the dynamic defense approach in cyberspace, this
paper builds upon stochastic ensemble smoothing based on defense method of
random smoothing and model ensemble. Proposed method employs network
architecture and smoothing parameters as ensemble attributes, and dynamically
change attribute-based ensemble model before every inference prediction
request. The proposed method handles the extreme transferability and
vulnerability of ensemble models under white-box attacks. Experimental
comparison of ASR-vs-distortion curves with different attack scenarios shows
that even the attacker with the highest attack capability cannot easily exceed
the attack success rate associated with the ensemble smoothed model, especially
under untargeted attacks.
Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Qin_R/0/1/0/all/0/1">Ruoxi Qin</a>, <a href="http://arxiv.org/find/cs/1/au:+Wang_L/0/1/0/all/0/1">Linyuan Wang</a>, <a href="http://arxiv.org/find/cs/1/au:+Chen_X/0/1/0/all/0/1">Xingyuan Chen</a>, <a href="http://arxiv.org/find/cs/1/au:+Du_X/0/1/0/all/0/1">Xuehui Du</a>, <a href="http://arxiv.org/find/cs/1/au:+Yan_B/0/1/0/all/0/1">Bin Yan</a>