# Defending against adversarial attacks by randomized diversification

**Authors:** Olga Taran, Shideh Rezaeifar, Taras Holotyak, Slava Voloshynovskiy

arXiv: 1904.00689 · 2019-04-02

## TL;DR

This paper introduces a defense mechanism against adversarial attacks on machine learning models using multi-channel randomized transformations with shared secret keys, enhancing robustness and reliability.

## Contribution

It proposes a novel multi-channel randomization approach with secret keys that prevents gradient-based attacks and improves defense against adversarial examples.

## Key findings

- Increased robustness to state-of-the-art attacks
- Effective gradient obfuscation through transform domain randomization
- Enhanced reliability via multi-channel output aggregation

## Abstract

The vulnerability of machine learning systems to adversarial attacks questions their usage in many applications. In this paper, we propose a randomized diversification as a defense strategy. We introduce a multi-channel architecture in a gray-box scenario, which assumes that the architecture of the classifier and the training data set are known to the attacker. The attacker does not only have access to a secret key and to the internal states of the system at the test time. The defender processes an input in multiple channels. Each channel introduces its own randomization in a special transform domain based on a secret key shared between the training and testing stages. Such a transform based randomization with a shared key preserves the gradients in key-defined sub-spaces for the defender but it prevents gradient back propagation and the creation of various bypass systems for the attacker. An additional benefit of multi-channel randomization is the aggregation that fuses soft-outputs from all channels, thus increasing the reliability of the final score. The sharing of a secret key creates an information advantage to the defender. Experimental evaluation demonstrates an increased robustness of the proposed method to a number of known state-of-the-art attacks.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1904.00689/full.md

## Figures

23 figures with captions in the complete paper: https://tomesphere.com/paper/1904.00689/full.md

## References

15 references — full list in the complete paper: https://tomesphere.com/paper/1904.00689/full.md

---
Source: https://tomesphere.com/paper/1904.00689