Random transformations to improve mitigation of query-based black-box attacks
Ali, Ziad Tariq Muhammad and Azad, R. Muhammad Atif and Azad, Muhammad Ajmal and Holyhead, James and Rice, Iain and Imran, Ali Shariq (2024) Random transformations to improve mitigation of query-based black-box attacks. Expert Systems with Applications, 264. p. 125840. ISSN 0957-4174
Preview |
Text
1-s2.0-S0957417424027076-main.pdf - Published Version Available under License Creative Commons Attribution Non-commercial No Derivatives. Download (2MB) |
Abstract
This paper proposes methods to upstage the best-known defences against query-based black-box attacks. These benchmark defences incorporate gaussian noise into input data during inference to achieve state-of-the-art performance in protecting image classification models against the most advanced query-based black-box attacks. Even so there is a need to improve upon them; for example, the widely benchmarked Random noise defense (RND) method has demonstrated limited robustness – achieving only 53.5% and 18.1% with a ResNet-50 model on the CIFAR-10 and ImageNet datasets, respectively – against the square attack, which is commonly regarded as the state-of-the-art black-box attack. Therefore, in this work, we propose two alternatives to gaussian noise addition at inference time: random crop-resize and random rotation of the input images. Although these transformations are generally used for data augmentation while training to improve model invariance and generalisation, their protective potential against query-based black-box attacks at inference time is unexplored. Therefore, for the first time, we report that for such well-trained models either of the two transformations can also blunt powerful query-based black-box attacks when used at inference time on three popular datasets. The results show that the proposed randomised transformations outperform RND in terms of robust accuracy against a strong adversary that uses a high budget of 100,000 queries based on expectation over transformation (EOT) of 10, by 0.9% on the CIFAR-10 dataset, 9.4% on the ImageNet dataset and 1.6% on the Tiny ImageNet dataset. Crucially, in two even tougher attack settings, that is, high-confidence adversarial examples and EOT-50 adversary, these transformations are even more effective as the margin of improvement over the benchmarks increases further.
Item Type: | Article |
---|---|
Identification Number: | 10.1016/j.eswa.2024.125840 |
Dates: | Date Event 16 November 2024 Accepted 23 November 2024 Published Online |
Uncontrolled Keywords: | Black-box attacks, adversarial examples, randomised defences, neural networks |
Subjects: | CAH11 - computing > CAH11-01 - computing > CAH11-01-01 - computer science |
Divisions: | Faculty of Computing, Engineering and the Built Environment > College of Computing |
Depositing User: | Gemma Tonks |
Date Deposited: | 02 Dec 2024 16:28 |
Last Modified: | 02 Dec 2024 16:28 |
URI: | https://www.open-access.bcu.ac.uk/id/eprint/16007 |
Actions (login required)
View Item |