In recent years, classification techniques based on deep neural networks (DNN) were widely used in many fields such as computer vision, natural language processing, and self-driving cars. However, the vulnerability of the DNN-based classification systems to adversarial attacks questions their usage in many critical applications. Therefore, the development of robust DNN-based classifiers is a critical point for the future deployment of these methods. Not less important issue is understanding of the mechanisms behind this vulnerability. Additionally, it is not completely clear how to link machine learning with cryptography to create an information advantage of the defender over the attacker. In this paper, we propose a key-based diversified aggregation (KDA) mechanism as a defense strategy in a gray- and black-box scenario. KDA assumes that the attacker (i) knows the architecture of classifier and the used defense strategy, (ii) has an access to the training data set, but (iii) does not know a secret key and does not have access to the internal states of the system. The robustness of the system is achieved by a specially designed key-based randomization. The proposed randomization prevents the gradients’ back propagation and restricts the attacker to create a “bypass” system. The randomization is performed simultaneously in several channels. Each channel introduces its own randomization in a special transform domain. The sharing of a secret key between the training and test stages creates an information advantage to the defender. Finally, the aggregation of soft outputs from each channel stabilizes the results and increases the reliability of the final score. The performed experimental evaluation demonstrates a high robustness and universality of the KDA against state-of-the-art gradient-based gray-box transferability attacks and the non-gradient-based black-box attacks (The results reported in this paper have been partially presented in CVPR 2019 (Taran et al., Defending against adversarial attacks by randomized diversification, 2019) & ICIP 2019 (Taran et al., Robustification of deep net classifiers by key-based diversified aggregation with pre-filtering, 2019)).

中文翻译：

---

通过加密眼镜进行机器学习：通过基于密钥的多样化聚合来对抗对抗性攻击。

近年来，基于深度神经网络（DNN）的分类技术已广泛应用于计算机视觉，自然语言处理和自动驾驶汽车等许多领域。但是，基于DNN的分类系统容易受到对抗性攻击，这质疑了它们在许多关键应用程序中的用法。因此，基于DNN的强大分类器的开发对于这些方法的未来部署至关重要。同样重要的是，了解此漏洞背后的机制。此外，还不清楚如何将机器学习与加密技术联系起来以创造防御者相对于攻击者的信息优势。在本文中，我们提出了一种基于密钥的多样化聚合（KDA）机制作为灰盒和黑盒情况下的防御策略。KDA假定攻击者（i）知道分类器的体系结构和使用的防御策略，（ii）可以访问训练数据集，但是（iii）不知道密钥，也不能访问内部状态系统的。系统的鲁棒性是通过特殊设计的基于密钥的随机化来实现的。拟议的随机化可防止梯度向后传播，并限制攻击者创建“绕过”系统。在几个通道中同时执行随机化。每个通道在特殊的转换域中引入自己的随机化。在训练和测试阶段之间共享密钥会为防御者带来信息优势。最终，来自每个通道的软输出的聚集使结果稳定并增加了最终得分的可靠性。