Efficient Defenses Against Adversarial Attacks

Valentina Zantedeschi, Maria-Irina Nicolae, Ambrish Rawat

Introduction

Deep learning has proven its prowess across a wide range of computer vision applications, from visual recognition to image generation . Their rapid deployment in critical systems, like medical imaging, surveillance systems or security-sensitive applications, mandates that reliability and security are established a priori for deep learning models. Similarly to any computer-based system, deep learning models can potentially be attacked using all the standard methods (such as denial of service or spoofing attacks), and their protection only depends on the security measures deployed around the system. Additionally, DNNs have been shown to be sensitive to a threat specific to prediction models: adversarial examples. These are input samples which have deliberately been modified to produce a desired response by a model (often, misclassification or a specific incorrect prediction which would benefit the attacker).

Adversarial examples pose an asymmetric challenge with respect to attackers and defenders. An attacker aims to obtain his reward from a successful attack without raising suspicion. A defender on the other hand is driven towards developing strategies which can guard their models against all known attacks and ideally for all possible inputs. Furthermore, if one would try to prove that a model is indeed secure (that is, can withstand attacks yet to be designed), one would have to provide formal proof, say, through verification . This is a hard problem, as this type of methods does not scale to the number of parameters of a DNN. For all these reasons, finding defense strategies is hard.

Apart from the security aspects, adversarial examples for image classification have other peculiar properties. First and foremost, the imperceptible difference between adversarial and legitimate examples provides them with an effortless capacity of attack; this is only reinforced by the transferability of such samples across different models, allowing for black-box attacks. Moreover, the high confidence of misclassification proves that the model views adversarial samples as regular inputs. The potential damage of adversarial attacks is increased by the existence of such samples in the physical world : showing printed versions of adversarial images to a camera which will feed then to a DNN has the same effect as just presenting them to the model without passing through a physical support. Another intriguing property is that nonsensical inputs (e.g. crafted noise) are interpreted by the model as natural examples with high confidence . From the perspective of learning, these counterintuitive aspects are related to the more fundamental questions of what does a model learn and how well it is able to generalize . As a matter of fact, the mere existence of adversarial samples suggests that DNNs might be failing to extract concepts from the training set and that they would, instead, memorize it.

A good understanding of the weaknesses of deep learning models should bring to better attack strategies, and most importantly more effective defenses. While the cause is not completely understood to this day, multiple hypotheses have been suggested to explain their sensitivity to adversarial inputs. One of the first such hypothesis stated that the high complexity and non-linearity of neural networks can assign random labels in areas of the space which are under-explored. Moreover, these adversarial examples would be rare and would only exist in small regions of the space, similar to pockets. These theories have been refuted, since they are unable justify the transferability of adversarial samples from one model to another. Moreover, it has been shown that linear models also suffer from this phenomenon. Goodfellow et al. proposed a linearity hypothesis instead: deep neural networks are highly non-linear with respect to their parameters, but mostly linear with respect to their inputs, and adversarial examples are easy to encounter when exploring a direction orthogonal to a decision boundary. Another conjecture to explain the existence of adversarial examples is the cumulation of errors while propagating the perturbations from layer to layer. A small carefully crafted perturbation in the input layer may result in a much greater difference in the output layer, effect that is only magnified in high dimensional spaces, causing the activation of the wrong units in the upper layers.

In this paper, we make the following contributions:

We propose a two-fold defense method which is easy to setup and comes at almost no additional cost with respect to a standard training procedure. The method is designed to reinforce common weak points of deep networks and to smooth the decision functions. As a consequence, it is agnostic to the type of attack used to craft adversarial examples, making it effective in multiple settings. Figure 1 shows examples of clean images which are then perturbed with standard attacks. When the model uses the proposed defense, the perturbation necessary for misclassification is much larger, making the attack detectable and, in some cases, turning the images into nonsense.

We perform an extended experimental study, opposing an important number of attacks to the most effective defense methods available, alongside our proposed defense. We evaluate them according to multiple metrics and prove that accuracy by itself is not a sufficient score. We explore white-box and black-box attacks alike, to account for different adversarial capacities, as well as transferability of examples.

The rest of this document is structured as follows. Section 2 provides an overview of the existing attack and defense methods. Section 3 introduces the proposed defense method, followed by an extensive experimental study in Section 4. We conclude this paper in Section 5.

Related Work

where σ(.)\sigma(.) is the activation function, θj\theta_{j} and θj^\hat{\theta_{j}} are the parameters of layer FjF_{j} and xj1x_{j-1} is the output of the previous layer. The most popular activation function, and almost the only one that has been studied in an adversarial setting, is the Rectified Linear Unit, or RELU .

Although effective in producing adversarial examples, this attack is computationally expensive to the point where its usage is not practical. In the aim of speeding up the computation of adversarial examples, the attacking methods subsequently proposed all solve a first-order approximation of this original problem, which has a geometrical interpretation. The resulting perturbations are also effective in fooling the model, probably because commonly used deep architectures, such as the ones with piecewise linear RELU, are highly linear w.r.t. the input .

We now discuss the methods which have shaped the current state-of-the-art in adversarial attacks for deep neural networks. Any of the following attacks can be deployed in two ways: either by crafting the adversarial examples having knowledge of the architecture and the parameters of the attacked model (white-box attacks) or by crafting them using a similar model, plausible for the considered task, or a surrogate one as in Papernot et al. without exploiting any sensitive information (black-box attacks).

Attacks

One of the gradient-based methods is the Jacobian saliency map attack (JSMA) , which uses the derivative of the neural network with respect to the input image to compute the distortion iteratively. Each iteration, the pixel with the highest derivative is modified by a fixed value (the budget for the attack), followed by recomputing the saliency map, until the prediction has changed to a target class. The adversarial images produced by JSMA are subtle and effective for attacks, but they still require an excessive amount of time to compute.

The fast gradient sign method (FGSM) has been introduced as a computationally inexpensive, but effective alternative to JSMA. FGSM explores the gradient direction of the cost function and introduces a fixed amount of perturbation to maximize that cost. In practice, the examples produced by this attack are more easily detectable and require a bigger distortion to achieve misclassification than those obtained from JSMA. An iterative version of FGSM, where a smaller perturbation is applied multiple times, was introduced by Kurakin et al. .

Instead of using a fixed attack budget as for the last two methods, DeepFool was the first method to compute and apply the minimal perturbation necessary for misclassification under the L2L_{2} norm. The method performs iterative steps on the adversarial direction of the gradient provided by a locally linear approximation of the classifier. Doing so, the approximation is more accurate than FGSM and faster than JSMA, as all the pixels are simultaneously modified at each step of the method, but its iterative nature makes DeepFool computationally expensive. In , the authors extend DeepFool in order to craft a universal perturbation to be applied indifferently to any instance: a fixed distortion is computed from a set of inputs, allowing to maximize the predictive error of the model on that sample. The perturbation is computed by a greedy approach and needs multiple iterations over the given sample before converging. To the extent where the sample is representative to the data distribution, the computed perturbation has good chances of achieving misclassification on unseen samples as well.

One method aiming to compute good approximations of Problem (1) while keeping the computational cost of perturbing examples low has been proposed in Carlini and Wagner . The authors cast the formulation of Szegedy et al. into a more efficient optimization problem, which allows them to craft effective adversarial samples with low distortion. They define three similar targeted attacks, based on different distortion measures: L2L_{2}, L0L_{0} and LL_{\infty} respectively. In practice, even these attacks are computationally expensive.

If it is difficult to find new methods that are both effective in jeopardizing a model and computationally affordable, defending from adversarial attacks is even a harder task. On one hand, a good defense should harden a model to any known attack and, on the other hand, it should not compromise the discriminatory power of the model. In the following paragraph, we report the most effective defenses proposed for tackling adversarial examples.

Defenses

A common technique for defending a model from adversarial examples consists in augmenting the training data with perturbed examples (technique known as ‘adversarial training‘ ) by either feeding a model with both true and adversarial examples or learning it using the modified objective function:

with JJ the original loss function. The aim of such defense is to increase the model’s robustness in specific directions (of the adversarial perturbation) by ensuring that it will predict the same class for the true example and its perturbations along those directions. In practice, the additional instances are crafted for the considered model using one or multiple attack strategies, such as FGSM , DeepFool and virtual adversarial examples .

However, adversarially training a model is effective only on adversarial examples crafted on the original model, which is an improbable situation considering that an attacker might not have access to exactly the same model for computing the perturbations. Additionally, adversarial training has been proved to be easily bypassed through a two-step attack , which first applies a random perturbation to an instance and then performs any classical attack technique. The success of this new attack, and of black-box attacks in general, is due to the sharpness of the loss around the training examples: if smoothing the loss in few adversarial directions makes ineffective gradient-based attacks on those directions, it also makes the loss sharper in the other directions, leaving the model more vulnerable through new attacks.

Unlike adversarial training, a different family of defenses aims to increase the robustness of deep neural networks to adversarial examples independently of the attack. Among these attack-agnostic techniques, we find defensive distillation , which hardens the model in two steps: first, a classification model is trained and its softmax layer is smoothed by division with a constant TT; then, a second model is trained using the same inputs, but instead of feeding it the original labels, the probability vectors from the last layer of the first model are used as soft targets. The second model is then used for future deployment. The advantage of training the second model with this strategy is that it makes for a smoother loss function. It has been shown in Warde-Farley and Goodfellow that a similar behavior can be obtained at a cheaper cost by training a model using smoothed labels. This technique, called label smoothing, involves converting class labels into soft targets (value close to 1 for the target class and the rest of the weight distributed on the other classes) and use these new values for training the model instead of the true labels. As a consequence, one saves the needs to train an additional model as for defensive distillation.

Another model hardening technique is feature squeezing . Its reduces the complexity of the representation of the data so that the adversarial perturbations disappear due to low sensitivity. The authors propose two heuristics for dealing with images: reducing color depth on a pixel level, that is encoding the colors with less values, and using a smoothing filter over the image. As an effect, multiple inputs are mapped to the same value, making the model robust to noise and adversarial attacks. Although this has the collateral effect of worsening the accuracy of the model on true examples, to the best of our knowledge, feature squeezing is the most effective defense to adversarial attacks to date.

A different approach for protecting models against adversarial attacks are detection systems. To this end, a certain number of directions have been explored, such as performing statistical tests , using an additional model for detection or applying dropout at test time . However, with adversarial examples being relatively close to the original distribution of the data, it has been shown that many detection methods can be bypassed by attackers .

As we have described, defending against adversarial examples is not an easy task, and the existing defense methods are only able to increase model robustness in certain settings and to a limited extent. With these aspects in mind, we now move on to presenting the proposed defense method.

Efficient Defenses

In this section, we start by introducing the threat model we consider, before presenting the two aspects of our contribution.

Attackers can be formalized depending on their degree of knowledge, the ways in which they can tamper with the system, as well as the expected reward. For the purpose of our contribution, modeling the reward is not required. In this paper, we consider attackers that only have access to test data and, optionally, the trained model. They are thus unable to tamper with the training sample, unlike in other contexts, such as learning with malicious error . We address different settings, depending on the degree of knowledge of the adversary. The attacker can gain access to information about the learning algorithm, which can include only the architecture of the system or values of the parameters as well, the feature space and the data which was used for training. Of course, from the perspective of the attacker, the white-box setup is the most advantageous, making the crafting easier. A good defense method should be able to sustain the strongest type of attack achievable in practice. On the other hand, it has been shown that in some cases a black-box attack, when the attacker only has access to the input and output of the model, achieves better results than its white-box counterpart . We thus consider both black-box and white-box attacks when evaluating our method.

1 Bounded RELU

We now introduce the use of the bounded RELU (BRELU) activation function for hedging against the forward propagation of adversarial perturbation. Activation functions present in each node of a deep neural network amplify or dampen a signal depending on the magnitude of the input received. Traditional image classification models use Rectified Linear Units which are known to learn sparse representations for data , thereby easing the training process. Recall that a RELU operation squashes negative inputs to zero, while propagating all positive signals. Given the arrangement of nodes in a DNN, inputs received by a node in one layer depend on the outputs of the nodes from the previous layers of the architecture. Naturally, with unbounded units like RELU, a small perturbation in the input signal can accumulate over layers as a signal propagates forward through the network. For an adversarial perturbation, this can potentially lead to a significant change in the output signal for an incorrect class label. This would be further amplified by the softmax operation in the final layer of a classification network. To curtail this phenomenon, we propose the use of the bounded RELU activation function, defined as follows:

The parameter tt defines the cut-off point where the function saturates. In practice, it should be set with respect to the range of the inputs. Notice that a value too small for tt would prevent the forward propagation of the input in the network, reducing the capacity of the model to perform well. On the other hand, too big a value will perpetuate the same behavior as RELU.

To theoretically prove the interest of this simple modification in the architecture, we compare the additive stabilities of a neural network with RELU activations against BRELU activations, following Szegedy et al. . For a model using RELU, the output difference between an original point and its perturbation can be upper bounded as follows

with M=j=1LMjM=\prod_{j=1}^{L}M_{j} the product of the Lipschitz constants of each layer. On the contrary, the output difference in a model with BRELU has a tighter bound for a small enough tt and, most importantly, a bound independent from the learned parameters of the layers:

Employing BRELU activation functions, then, improves the stability of the network.

2 Gaussian Data Augmentation

The intuition behind data augmentation defenses such as adversarial training is that constraining the model to make the same prediction for a true instance and its slightly perturbed version should increase its generalization capabilities. Although adversarial training enhances the model’s robustness to white-box attacks, it fails to protect effectively from black-box attacks . This is because the model is strengthened only in few directions (usually, one per input sample), letting it be easily fooled in all the other directions. Moreover, there is no mechanism for preventing the model from making confident decisions for uncertain regions, i.e. parts of the input space not represented by the data samples. Instead, augmenting the training set with examples perturbed using Gaussian noise, as we propose in this paper, on one hand allows to explore multiple directions and, on the other, smooths the model confidence. While the former property can be achieved through any kind of noise (e.g. uniform noise), the latter is peculiar to using a Gaussian distribution for the perturbations: the model is encouraged to gradually decrease its confidence moving away from an input point.

We thus propose a new formulation of the problem of learning classifiers robust to adversarial examples:

where σ\sigma indicatively corresponds to the acceptable non-perceivable perturbation. The aim is to enforce the posterior distribution p(yx)p(y|x) to follow N(x,σ2)\mathcal{N}(x,\sigma^{2}). This formulation differs from in considering all possible local perturbations (and not only the one with the maximal threatening power) and in weighing them with respect to their magnitude.

In the rest of the paper, we will solve a Monte Carlo approximation of the solution of the previous problem, by sampling NN perturbations per instance from N(0,σ2)\mathcal{N}(0,\sigma^{2}):

To prove the benefits of the proposed Gaussian data augmentation (GDA) on the robustness of a model, we carry out a study on the classification boundaries and the confidence levels of a simple multi-layer network trained on two toy datasets augmented through different techniques. In the first dataset (Figure 2(a)), the two classes are placed as concentric circles, one class inside the other. The second dataset (Figure 2(b)) is the classic example of two half-moons, each representing one class. For each original point xx of a dataset, we add one of the following artificial points x{x}^{\prime} (all of them clipped into the input domain):

Adversarial example crafted with Fast Gradient Sign Method with L2L_{2}-norm and ϵ=0.3\epsilon=0.3;

Virtual adversarial example (VAT) with ϵ=0.3\epsilon=0.3;

Adversarial example crafted with Jacobian Saliency Method with feature adjustment θ=0.1\theta=0.1;

Perturbed example drawn from the Uniform distribution centered in xx (xU(x){x}^{\prime}\sim\mathcal{U}(x));

Perturbed example drawn from a Gaussian distribution centered in xx, with standard deviation σ=0.3\sigma=0.3 (xN(x,σ2){x}^{\prime}\sim\mathcal{N}(x,\sigma^{2})).

GDA helps smoothing the model confidence without affecting the accuracy on the true examples (sometimes even improving it), as shown in Figure 2. Notice how the change in the value of the loss function is smoother for GDA than for the other defense methods. We also compare against augmentation with uniformly generated random noise, as was previously done in . In this case as well, the GDA makes up for smoother variations.

These experiments confirm that, even though perturbing the true instances with random noise does not produce successful attacks , it is highly effective when deployed as a defense. Moreover, from a computational point of view, this new technique comes at practically no cost: the model does not require retraining, as opposed to adversarial training or defensive distillation, and drawing points from a Gaussian distribution is considerably cheaper than crafting adversarial examples.

Experiments

In this section, we discuss the experiments conducted for a closer look at the proposed defense methods, and contrast their performance against other defenses under multiple attacks. Following a brief description of the experimental protocol, we detail the results obtained for an extensive class of setups. The various settings and evaluation metrics are motivated to acquire better insights into the workings of adversarial misclassification and into the robustness of methods.

Our experiments are performed on two standard machine learning datasets: MNIST and CIFAR10 . MNIST contains 70,000 samples of black and white 28×\times28 images, divided into 60,000 training samples and 10,000 test samples. Each pixel value is scaled between 0 and 1, and the digits are the 10 possible classes. CIFAR10 contains 60,000 images of size 32×\times32 with three color channels, their values also scaled between 0 and 1. The dataset is split into 50,000 training images and 10,000 test ones, all from 10 classes. We consider two types of network architectures: simple convolutional neural nets (CNN) and convolutional neural nets with residuals (ResNet) . The CNN is structured as follows: Conv2D(64, 8×\times8) – Conv2D(128, 6×\times6) – Conv2D(128, 5×\times5) – Softmax(10). The ResNet has the following layers with an identity short-cut between layer 22 and 66: Conv2D(64, 8×\times8) – Conv2D(128, 6×\times6) – Conv2D(64, 1×\times1) – Conv2D(64, 1×\times1) – Conv2D(128, 1×\times1) – MaxPooling(3×\times3) – Softmax(10). For both models, the activation function used is RELU, except when specified otherwise.

Methods

We use the following attacks to craft adversarial examples, in view of comparing the respective capacities of defense models:

Fast Gradient Sign Method (FGSM) with distortion size ϵ\epsilon ranging from 0.01 to 1, or with an iterative strategy determining the minimal perturbation necessary to change predictions;

FGSM applied after a preliminary step of adding Gaussian noise (within a range of α=0.05\alpha=0.05); the random noise applied in the first step is deducted from the budget of the FGSM attack; we call this heuristic Random + FGSM;

Jacobian Saliency Map Attack (JSMA) with the default parameters from the authors’ code: γ=1\gamma=1, θ=0.1\theta=0.1;

DeepFool with a maximum of 100 iterations;

The L2L_{2} attack from Carlini and Wagner (called C&W) with the default parameters from the authors’ code and a confidence level of 2.3.

We compare the following defense methods:

Feature squeezing (FS), reducing the color depth to 1 bit for MNIST and 3 bits for CIFAR10, as the authors suggested in Xu et al. ;

Label smoothing (LS), with the weight of the true label set to 0.90.9;

Adversarial training (AT) with examples crafted using FGSM with ϵ=0.3\epsilon=0.3 for MNIST and ϵ=0.05\epsilon=0.05 for CIFAR10;

Virtual adversarial training (VAT) with ϵ=2.1\epsilon=2.1 as indicated in Miyato et al. ;

Gaussian Data Augmentation generating ten noisy samples for each original one, with standard deviation σ=0.3\sigma=0.3 for MNIST and σ=0.05\sigma=0.05 for CIFAR10; when BRELU (t=1t=1) is used as activation function, we call this method GDA + BRELU, otherwise GDA + RELU.

Notice that we do not compare directly against defensive distillation, but consider label smoothing instead, for the reasons given in Section 2.

Measuring defense efficiency

Most experimental studies evaluate the performance of defense strategies on the basis of their effect on classification accuracy. However, we believe it is also vital to measure the robustness of the obtained models to an attack , for instance by quantifying the average distortion introduced during adversarial generation. These metrics provide better insights into the local behavior of defenses. We compute three such metrics in our experiments: the empirical robustness (as measured by minimal perturbation), the distance to the training set and the loss sensitivity to pertubations. For a model FF, the robustness is defined as:

where Δx\Delta x amounts to the perturbation that is required for an instance xx in order for the model FF to change its prediction under a certain attack. Intuitively, robust defenses require larger perturbations before the prediction changes. We estimate robustness by its empirical value computed on the available sample.

Training set distance offers a complementary viewpoint to robustness. In its attempt to quantify the dissimilarity between two sets, namely training data and adversarial images, this metric measures the average nearest-neighbour distance between samples from the two sets. Consequently, a larger value of this metric for adversarial images obtained by minimal perturbation supports the robustness of a defense strategy. Furthermore, this metric could also serve as a detection tool for adversarial attacks.

2 Comparison Between Architectures

In this experiment, we aim to show the impact of the type of deep network architecture against adversarial attacks. Namely, we compare CNN against ResNet, and RELU against BRELU activations respectively, under attacks crafted with FGSM. As a matter of fact, we would like to reject the hypothesis of vanishing units, for which the misclassification of the adversarial examples would be caused by the deactivation of specific units and not by the activation of the wrong ones. If that was the case, (i) getting residuals from the previous layers as in ResNet would result in higher robustness and (ii) using BRELU activation functions would decrease the performances of the model on adversarial examples. However, as Figure 3 shows, ResNet does not sustain attacks better than CNN, suggesting that the accumulation of errors through the neural network is the main cause of misclassification. Notice that CNN + BRELU performs best for a distortion of up to ϵ=0.3\epsilon=0.3, which has been suggested to be the highest value for which an FGSM attack might be undetectable.

We now analyze the same architectures for adversarial samples transferability: attacks crafted on each architecture with FGSM are applied to all the models (see Table 1). When the source and the target are the same, this makes for a white-box attack; otherwise, it is equivalent to a black-box setting. As is expected, each architecture is most fooled by its own adversarial examples. Additionally, ResNet is overall more affected by adversarial examples transferred from different architectures, while the CNN retains an accuracy higher than 90% in all black-box attacks, even when the only change in the architecture is replacing RELU with BRELU. This makes the case once more for noise accumulation over the layer rendering models vulnerable to adversarial samples. Considering the results of the ResNet model, we perform the remaining experiments only on the simple CNN architecture.

3 Impact of the Attack Distortion

We now study the impact of the attack distortion on the CNN model trained with different defenses. To this end, we use FGSM and Random + FGSM as attacks and plot the results in Figures 4 and 5. Note that for CIFAR10, we only show the results for 0ϵ0.30\leq\epsilon\leq 0.3, as for bigger values, the accuracies are almost constant. The first observation is that label smoothing not only fails to strengthen the model in both setups, but it even worsens its robustness to adversarial attacks. Also, adversarial training seems ineffective even against white-box attacks, contrary to the observations in . The result is not surprising, as the model is enforced on specific directions and probably loses its generalization capabilities. We explain this only apparent contradiction by pointing out the difference in the definitions of a white-box attack: for , white-box adversarial means examples crafted on the original model, without defenses; for us, they are crafted on the model trained through adversarial training. For MNIST, the three defenses that consistently perform the best are feature squeezing, virtual adversarial training and Gaussian data augmentation. However, if we focus on the results for ϵ<0.3\epsilon<0.3 (which are the most significant, as big perturbations are easily detectable and result in rubbish examples), VAT is not as effective as the other two methods. On CIFAR10, small perturbations easily compromise the accuracy of the models even when defended by the methods the most efficient on MNIST, notably feature squeezing and virtual adversarial training. Moreover, using these last two defenses seems to degrade the performances on true examples and to fail in strengthening the model from black-box and white-box attacks alike.

In conclusion, our defenses outperform state-of-the-art strategies in terms of accuracy on these two datasets.

4 Defense Performance under Multiple Metrics

As discussed previously, the accuracy is not a sufficient measure for evaluating the performance of a model, especially in the case of adversarial samples: an attack might make for an incorrect prediction with respect to the original label in most cases, but if the adversarial examples cannot be mistaken as legitimate inputs, the attack is arguably not effective. For this reason, we propose to evaluate the robustness of defenses, as well as the shift of adversarial examples with respect to the clean data distribution. The adversarial examples are crafted incrementally using FGSM with small perturbations, and the algorithm stops when the prediction changes. The results in Table 2 show that GDA with RELU as activation function performs best in terms of accuracy, being on a par with VAT. The robustness indicates the average amount of minimal perturbation necessary to achieve misclassification. This measure proves that both versions of the proposed defense yield a more robust model, potentially making the adversarial examples visually detectable. It is interesting to notice that feature squeezing and label smoothing actually decrease the robustness of the model. The last column in the table measures the average (Euclidean) distance of adversarial samples to the closest training point: a higher values indicates a larger shift between the two distributions. Here as well, GDA with both setups obtains much better results than the other defenses. Coupled with the robustness results, this metric confirms that one cannot have resistance to adversarial samples without an overall robustness of models, which calls for generic model reinforcement methods like the one proposed in this paper. Table 3 presents the measure of the sensitivity of the loss function under small variations for all studied defense methods. Gaussian augmentation provides the smoothest model with the RELU activation. Notice that feature squeezing and label smoothing both induce higher gradients in the model, while the other defenses enforce a level of smoothness close to the one of the original unprotected model.

5 Transferability of Adversarial Samples

We now compare the performance of the proposed method against other defenses in a black-box setting, to account for the adversarial examples transferability phenomenon. To this end, all adversarial examples are crafted on the ResNet model described previously, before being applied to the CNN model trained with each of the defense methods. In the case of the FGSM attack, ϵ\epsilon is set to 0.1. Tables 4 and 5 present the classification accuracy obtained by the models. The first line is the baseline, that is the CNN with no defense. For our method, we consider GDA both with and without the use of BRELU. On MNIST, our methods outperform the other defenses in most cases. Namely, notice that they obtain the best performance under FGSM, VAT, DeepFool, JSMA and C&W attacks; this difference is significant for FGSM, DeepFool and C&W. Random + FGSM has been shown to be a stronger attack than one-step attacks; this is confirmed by the poor performance of all defenses, except for feature squeezing. An interesting fact is that using label smoothing degrades the performance of the model under the Random + FGSM attack when compared to the CNN with no defense. On CIFAR10, our methods consistently make the model more robust than the other defenses.

Conclusion

Despite their widespread adoption, deep learning models are victims of uninterpretable and counterintuitive behavior. While numerous hypotheses compete to provide an explanation for adversarial samples, their root cause still remains largely unknown. The quest of understanding this phenomenon has turned into an arms race of attack and defense strategies. Along with the drive for efficient and better attacks, there is a parallel hunt for effective defenses which can guard against them. Given this large ammo of strategies, practitioners are faced with a dire need for attack-agnostic defense schemes which can be easily employed at their end.

This work proposed two such strategies which, used separately or combined, improve the robustness of a deep model. We built on two intuitive hypotheses of error accumulation and smoothness assumption, and proposed to impose two constraints: first, on the architecture in the form of the bounded RELU activations, and second, in the form of training with Gaussian augmented data. We demonstrated the utility of this combined approach against the state-of-art attacks. Compared to adversarial training based on an attack, our defense has the major advantage of being computationally inexpensive; first, it only requires training one model, and second, Gaussian noise has much lower computational cost than crafting adversarial examples. The latter property allows us to explore a larger set of directions around each input than adversarial training. The overall effect is obtaining a smoother, more stable model, which is able to sustain a wide range of adversarial attacks. As we have shown in the experimental section, we achieve this without compromising on the original classification performance on clean input.

References