# Thwarting finite difference adversarial attacks with output   randomization

**Authors:** Haidar Khan, Daniel Park, Azer Khan, B\"ulent Yener

arXiv: 1905.09871 · 2019-05-27

## TL;DR

This paper proposes a randomized output defense mechanism against black box adversarial attacks on neural networks, effectively reducing attack success while analyzing the accuracy-robustness tradeoff.

## Contribution

It introduces a novel output randomization technique that bounds error probabilities and demonstrates effectiveness against adaptive black box attacks.

## Key findings

- Randomization confuses black box attackers effectively.
- The method bounds the probability of errors in gradient estimation.
- Empirical results show successful thwarting of adaptive attacks.

## Abstract

Adversarial examples pose a threat to deep neural network models in a variety of scenarios, from settings where the adversary has complete knowledge of the model and to the opposite "black box" setting. Black box attacks are particularly threatening as the adversary only needs access to the input and output of the model. Defending against black box adversarial example generation attacks is paramount as currently proposed defenses are not effective. Since these types of attacks rely on repeated queries to the model to estimate gradients over input dimensions, we investigate the use of randomization to thwart such adversaries from successfully creating adversarial examples. Randomization applied to the output of the deep neural network model has the potential to confuse potential attackers, however this introduces a tradeoff between accuracy and robustness. We show that for certain types of randomization, we can bound the probability of introducing errors by carefully setting distributional parameters. For the particular case of finite difference black box attacks, we quantify the error introduced by the defense in the finite difference estimate of the gradient. Lastly, we show empirically that the defense can thwart two adaptive black box adversarial attack algorithms.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.09871/full.md

## Figures

11 figures with captions in the complete paper: https://tomesphere.com/paper/1905.09871/full.md

## References

33 references — full list in the complete paper: https://tomesphere.com/paper/1905.09871/full.md

---
Source: https://tomesphere.com/paper/1905.09871