A novel adversarial attack methodology for fooling deep neural network classifiers in image classification tasks is proposed, along with a novel defense mechanism to counter such attacks. Two concepts are introduced, namely the K-Anonymity-inspired Adversarial Attack (K-A3) and the Multiple Support Vector Data Description Defense (M-SVDD-D). The proposed K-A3 introduces novel optimization criteria to standard adversarial attack methodologies, inspired by the K-Anonymity principles. Its generated adversarial examples are not only misclassified by the neural network classifier, but are uniformly spread along K different ranked output positions. The proposed M-SVDD-D consists of a deep neural architecture layer consisting of multiple non-linear one-class classifiers based on Support Vector Data Description that can be used to replace the final linear classification layer of a deep neural architecture, and an additional class verification mechanism. Its application decreases the effectiveness of adversarial attacks, by increasing the noise energy required to deceive the protected model, attributed to the introduced non-linearity. In addition, M-SVDD-D can be used to prevent adversarial attacks in black-box attack settings.

中文翻译：

---

K-Anonymity激发了对抗性攻击和多个一类分类防御。

提出了一种在图像分类任务中欺骗深度神经网络分类器的新型对抗攻击方法，以及一种针对此类攻击的新型防御机制。引入了两个概念，即K-Anonymity启发式对抗攻击（K-A3）和多支持向量数据描述防御（M-SVDD-D）。拟议的K-A3受到K-匿名原则的启发，将新颖的优化标准引入了标准对抗攻击方法。它生成的对抗示例不仅被神经网络分类器错误分类，而且沿K个不同排名的输出位置均匀分布。拟议的M-SVDD-D包括一个深层神经体系结构层，该层由基于支持向量数据描述的多个非线性一类分类器组成，可用于替代深层神经体系结构的最终线性分类层，以及一个附加层类验证机制。它的应用通过增加由于引入的非线性而欺骗受保护模型所需的噪声能量，降低了对抗攻击的有效性。此外，M-SVDD-D可用于防止黑盒攻击设置中的对抗攻击。归因于引入的非线性。此外，M-SVDD-D可用于防止黑盒攻击设置中的对抗攻击。归因于引入的非线性。此外，M-SVDD-D可用于防止黑盒攻击设置中的对抗攻击。