Blocking Transferability of Adversarial Examples in Black-Box Learning Systems

TL;DR

This paper introduces a training method that enhances black-box ML systems' robustness by classifying highly perturbed inputs as 'invalid', thereby blocking the transferability of adversarial examples and improving security.

Contribution

The paper proposes a novel training approach that adds a NULL class to reject adversarial inputs, effectively preventing transferability in black-box ML systems.

Findings

The method significantly reduces adversarial transferability.

The classifier maintains high accuracy on clean data.

Effective against various attack strategies.

Abstract

Advances in Machine Learning (ML) have led to its adoption as an integral component in many applications, including banking, medical diagnosis, and driverless cars. To further broaden the use of ML models, cloud-based services offered by Microsoft, Amazon, Google, and others have developed ML-as-a-service tools as black-box systems. However, ML classifiers are vulnerable to adversarial examples: inputs that are maliciously modified can cause the classifier to provide adversary-desired outputs. Moreover, it is known that adversarial examples generated on one classifier are likely to cause another classifier to make the same mistake, even if the classifiers have different architectures or are trained on disjoint datasets. This property, which is known as transferability, opens up the possibility of attacking black-box systems by generating adversarial examples on a substitute classifier and transferring the examples to the target classifier. Therefore, the key to protect black-box learning systems against the adversarial examples is to block their transferability. To this end, we propose a training method that, as the input is more perturbed, the classifier smoothly outputs lower confidence on the original label and instead predicts that the input is "invalid". In essence, we augment the output class set with a NULL label and train the classifier to reject the adversarial examples by classifying them as NULL. In experiments, we apply a wide range of attacks based on adversarial examples on the black-box systems. We show that a classifier trained with the proposed method effectively resists against the adversarial examples, while maintaining the accuracy on clean data.