Adversarial example attacks pose significant threats to the integrity and reliability of machine learning systems. Input transformation ensembles have emerged as a promising defense strategy to mitigate such attacks. However, a thorough evaluation of using this approach against well-known state-of-the-art attacks has not been performed. It is unclear whether employing a large barrage of randomly combined input transformations ensures a robust defense against specific adversarial example attacks. To answer these questions, in this paper, we evaluated the efficacy of 33 various input transformation techniques, both individually and as ensembles, in enhancing the robustness of neural networks against adversarial examples. Our findings indicate that the approach of using randomly combined input transformations, such as 5 of them as suggested by the authors of BaRT [20] paper, does not consistently provide robust defense against strong attacks. As an improvement, we identified combinations that only use three strong input transformations but can still provide a resilient and computationally cost efficient defense.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Evaluating Input Transformation Ensembles Against Adversarial Attacks

  • Changwei Liu,
  • Louis DiValentin,
  • Aolin Ding,
  • Malek Ben Salem

摘要

Adversarial example attacks pose significant threats to the integrity and reliability of machine learning systems. Input transformation ensembles have emerged as a promising defense strategy to mitigate such attacks. However, a thorough evaluation of using this approach against well-known state-of-the-art attacks has not been performed. It is unclear whether employing a large barrage of randomly combined input transformations ensures a robust defense against specific adversarial example attacks. To answer these questions, in this paper, we evaluated the efficacy of 33 various input transformation techniques, both individually and as ensembles, in enhancing the robustness of neural networks against adversarial examples. Our findings indicate that the approach of using randomly combined input transformations, such as 5 of them as suggested by the authors of BaRT [20] paper, does not consistently provide robust defense against strong attacks. As an improvement, we identified combinations that only use three strong input transformations but can still provide a resilient and computationally cost efficient defense.