Department of Informatics, Aristotle University of Thessaloniki, Thessaloniki, Greece.
Neural Netw. 2020 Apr;124:296-307. doi: 10.1016/j.neunet.2020.01.015. Epub 2020 Feb 6.
A novel adversarial attack methodology for fooling deep neural network classifiers in image classification tasks is proposed, along with a novel defense mechanism to counter such attacks. Two concepts are introduced, namely the K-Anonymity-inspired Adversarial Attack (K-A) and the Multiple Support Vector Data Description Defense (M-SVDD-D). The proposed K-A introduces novel optimization criteria to standard adversarial attack methodologies, inspired by the K-Anonymity principles. Its generated adversarial examples are not only misclassified by the neural network classifier, but are uniformly spread along K different ranked output positions. The proposed M-SVDD-D consists of a deep neural architecture layer consisting of multiple non-linear one-class classifiers based on Support Vector Data Description that can be used to replace the final linear classification layer of a deep neural architecture, and an additional class verification mechanism. Its application decreases the effectiveness of adversarial attacks, by increasing the noise energy required to deceive the protected model, attributed to the introduced non-linearity. In addition, M-SVDD-D can be used to prevent adversarial attacks in black-box attack settings.
提出了一种新颖的对抗攻击方法,用于在图像分类任务中愚弄深度神经网络分类器,并提出了一种新颖的防御机制来对抗这种攻击。引入了两个概念,即 K 匿名启发式对抗攻击(K-A)和多个支持向量数据描述防御(M-SVDD-D)。所提出的 K-A 引入了新的优化标准,以标准对抗攻击方法为灵感,来自 K 匿名原则。它生成的对抗示例不仅被神经网络分类器错误分类,而且沿着 K 个不同的排名输出位置均匀分布。所提出的 M-SVDD-D 由一个深度神经网络架构层组成,该层由多个基于支持向量数据描述的非线性单类分类器组成,可以用于替换深度神经网络架构的最后一个线性分类层,以及一个附加的类验证机制。它的应用通过增加欺骗受保护模型所需的噪声能量来降低对抗攻击的有效性,这归因于引入的非线性。此外,M-SVDD-D 可用于在黑盒攻击设置中防止对抗攻击。
