当前位置:
X-MOL 学术
›
IEEE Trans. Neural Netw. Learn. Syst.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks
IEEE Transactions on Neural Networks and Learning Systems ( IF 10.2 ) Pub Date : 2021-06-28 , DOI: 10.1109/tnnls.2021.3089128 Qi Liu 1 , Wujie Wen 1
IEEE Transactions on Neural Networks and Learning Systems ( IF 10.2 ) Pub Date : 2021-06-28 , DOI: 10.1109/tnnls.2021.3089128 Qi Liu 1 , Wujie Wen 1
Affiliation
Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN’s decision can be easily misguided by adversarial examples–the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the ever-increasing security concerns for DNN-based systems. Unfortunately, current defense techniques face the following issues: 1) they are usually unable to mitigate all types of attacks, given that diversified attacks, which may occur in practical scenarios, have different natures and 2) most of them are subject to considerable implementation cost such as complete retraining. This prompts an urgent need of developing a comprehensive defense framework with low deployment costs. In this work, we reveal that “defensive decision boundary” and “small gradient” are two critical conditions to ease the effectiveness of adversarial examples with different properties. We propose to wisely use “hash compression” to reconstruct a low-cost “defensive hash classifier” to form the first line of our defense. We then propose a set of retraining-free “gradient inhibition” (GI) methods to extremely suppress and randomize the gradient used to craft adversarial examples. Finally, we develop a comprehensive defense framework by orchestrating “defensive hash classifier” and “GI.” We evaluate our defense across traditional white-box, strong adaptive white-box, and black-box settings. Extensive studies show that our solution can enormously decrease the attack success rate of various adversarial attacks on the diverse dataset.
中文翻译:
模型压缩强化深度神经网络:防止对抗性攻击的新视角
深度神经网络 (DNN) 在许多实际应用中取得了显着的成功。然而,最近的研究表明,DNN 的决策很容易被对抗性示例误导——恶意对手制造的具有难以察觉的扰动的输入,导致基于 DNN 的系统不断增加的安全问题。不幸的是,当前的防御技术面临以下问题:1)鉴于实际场景中可能发生的多样化攻击具有不同的性质,它们通常无法缓解所有类型的攻击;2)大多数攻击都需要相当大的实施成本比如完整的再培训。这就迫切需要开发一种部署成本低的综合防御框架。在这项工作中,我们揭示了“防御决策边界”和“小梯度”是降低具有不同属性的对抗性示例有效性的两个关键条件。我们建议明智地使用“哈希压缩”来重建低成本的“防御性哈希分类器”,以形成我们的第一道防线。然后,我们提出了一组无需再训练的“梯度抑制”(GI)方法,以极度抑制和随机化用于制作对抗性示例的梯度。最后,我们通过精心策划“防御性哈希分类器”和“GI”来开发一个全面的防御框架。我们评估了传统白盒、强自适应白盒和黑盒设置的防御能力。广泛的研究表明,我们的解决方案可以极大地降低对不同数据集的各种对抗性攻击的攻击成功率。
更新日期:2021-06-28
中文翻译:
模型压缩强化深度神经网络:防止对抗性攻击的新视角
深度神经网络 (DNN) 在许多实际应用中取得了显着的成功。然而,最近的研究表明,DNN 的决策很容易被对抗性示例误导——恶意对手制造的具有难以察觉的扰动的输入,导致基于 DNN 的系统不断增加的安全问题。不幸的是,当前的防御技术面临以下问题:1)鉴于实际场景中可能发生的多样化攻击具有不同的性质,它们通常无法缓解所有类型的攻击;2)大多数攻击都需要相当大的实施成本比如完整的再培训。这就迫切需要开发一种部署成本低的综合防御框架。在这项工作中,我们揭示了“防御决策边界”和“小梯度”是降低具有不同属性的对抗性示例有效性的两个关键条件。我们建议明智地使用“哈希压缩”来重建低成本的“防御性哈希分类器”,以形成我们的第一道防线。然后,我们提出了一组无需再训练的“梯度抑制”(GI)方法,以极度抑制和随机化用于制作对抗性示例的梯度。最后,我们通过精心策划“防御性哈希分类器”和“GI”来开发一个全面的防御框架。我们评估了传统白盒、强自适应白盒和黑盒设置的防御能力。广泛的研究表明,我们的解决方案可以极大地降低对不同数据集的各种对抗性攻击的攻击成功率。
京公网安备 11010802027423号