Defense Methods Against Adversarial Examples for Recurrent Neural Networks

TL;DR

This paper introduces a novel defense technique called sequence squeezing to enhance the robustness of RNN classifiers against adversarial attacks, demonstrating significant reduction in attack success rates in cybersecurity applications.

Contribution

The paper presents the first sequence-based defense method for RNNs and evaluates multiple defenses against real-world adversarial attacks in cybersecurity.

Findings

Sequence squeezing reduces attack success from 99.9% to 15%.

Multiple defense methods improve RNN robustness.

Applicable to cybersecurity and NLP domains.

Abstract

Adversarial examples are known to mislead deep learning models to incorrectly classify them, even in domains where such models achieve state-of-the-art performance. Until recently, research on both attack and defense methods focused on image recognition, primarily using convolutional neural networks (CNNs). In recent years, adversarial example generation methods for recurrent neural networks (RNNs) have been published, demonstrating that RNN classifiers are also vulnerable to such attacks. In this paper, we present a novel defense method, termed sequence squeezing, to make RNN classifiers more robust against such attacks. Our method differs from previous defense methods which were designed only for non-sequence based models. We also implement four additional RNN defense methods inspired by recently published CNN defense methods. We evaluate our methods against state-of-the-art attacks in the cyber security domain where real adversaries (malware developers) exist, but our methods can be applied against other discrete sequence based adversarial attacks, e.g., in the NLP domain. Using our methods we were able to decrease the effectiveness of such attack from 99.9% to 15%.