DyAdvDefender: An instance-based online machine learning model for perturbation-trial-based black-box adversarial defense

Recent research indicates that machine learning models are vulnerable to adversarial samples that are slightly perturbed versions of natural samples. Adversarial samples can be crafted in white-box or black-box scenario. In the black-box scenario adversaries possess no knowledge of the detailed architecture and parameters of the model they attack, and they seek information by querying the model with multiple, slightly perturbed samples to achieve their attack purpose. The difficulty in recognizing adversarial samples arises from the fact that the perturbations are often imperceptible, yet effective in misleading machine learning models. Existing defense methods are static, and they cannot dynamically evolve to adapt to adversarial attacks, which unnecessarily disadvantages them. In this paper we propose a novel dynamic defense method called DyAdvDefender, and we show that a dynamic defense method can effectively utilize previous experience to defend against black-box attacks. Extensive experimental results suggest that DyAdvDefender outperforms existing static methods in terms of defense effectiveness while keeping the original classification accuracy with only limited extra time consumption. Crown Copyright (c) 2022 Published by Elsevier Inc. All rights reserved.

Automated summary

Recent research shows that machine learning models are susceptible to attacks from slightly perturbed adversarial samples. These attacks can be carried out in white-box or black-box scenarios. Existing defense methods are static and cannot adapt to adversarial attacks. This paper introduces a novel dynamic defense method called DyAdvDefender, which effectively utilizes previous experience to defend against black-box attacks.