Deep neural networks have been shown to suffer from critical vulnerabilities under adversarial attacks. This phenomenon stimulated the creation of different attack and defense strategies similar to those adopted in cyberspace security. The dependence of such strategies on attack and defense mechanisms makes the associated algorithms on both sides appear as closely reciprocating processes. The defense strategies are particularly passive in these processes, and enhancing initiative of such strategies can be an effective way to get out of this arms race. Inspired by the dynamic defense approach in cyberspace, this paper builds upon stochastic ensemble smoothing based on defense method of random smoothing and model ensemble. Proposed method employs network architecture and smoothing parameters as ensemble attributes, and dynamically change attribute-based ensemble model before every inference prediction request. The proposed method handles the extreme transferability and vulnerability of ensemble models under white-box attacks. Experimental comparison of ASR-vs-distortion curves with different attack scenarios shows that even the attacker with the highest attack capability cannot easily exceed the attack success rate associated with the ensemble smoothed model, especially under untargeted attacks.

中文翻译：

---

基于随机集成平滑模型的深层神经网络对抗鲁棒性动态防御方法

事实证明，深度神经网络在对抗性攻击下会遭受严重的漏洞攻击。这种现象刺激了与网络空间安全类似的不同攻击和防御策略的产生。这种策略对攻击和防御机制的依赖性使双方的相关算法看起来像是往复往复的过程。在这些过程中，防御策略尤其是被动的，增强此类策略的主动性可能是摆脱这场军备竞赛的有效途径。受网络空间动态防御方法的启发，本文建立在基于随机平滑防御和模型集成的随机总体平滑基础上。提出的方法采用网络架构和平滑参数作为整体属性，并在每个推理预测请求之前动态更改基于属性的集成模型。所提出的方法在白盒攻击下处理了集成模型的极端可移植性和脆弱性。不同攻击场景下ASR-vs-失真曲线的实验比较表明，即使是攻击能力最高的攻击者，也无法轻易超过与整体平滑模型相关的攻击成功率，尤其是在无目标攻击的情况下。