A cryptographic approach to black box adversarial machine learning
Kevin Shi, Daniel Hsu, Allison Bishop
TL;DR
This paper introduces a cryptographic ensemble method with provable security guarantees against black-box transfer attacks, supported by theoretical proofs and empirical validation of classifier robustness.
Contribution
It presents a novel randomized ensemble technique with a security proof based on a new security problem for binary classifiers, enhancing adversarial robustness.
Findings
Empirical evidence shows improved adversarial robustness of the ensemble.
The security proof reduces the problem to a new, verifiable security model.
Experimental results demonstrate the effectiveness against black-box attacks.
Abstract
We propose a new randomized ensemble technique with a provable security guarantee against black-box transfer attacks. Our proof constructs a new security problem for random binary classifiers which is easier to empirically verify and a reduction from the security of this new model to the security of the ensemble classifier. We provide experimental evidence of the security of our random binary classifiers, as well as empirical results of the adversarial accuracy of the overall ensemble to black-box attacks. Our construction crucially leverages hidden randomness in the multiclass-to-binary reduction.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced Malware Detection Techniques · Digital Media Forensic Detection