Defeating Misclassification Attacks Against Transfer Learning

TL;DR

This paper introduces a novel defense mechanism against misclassification attacks in transfer learning by using activation-based network pruning and ensemble strategies, significantly improving robustness with minimal accuracy loss.

Contribution

It presents a new distillation-based differentiator and a two-phase ensemble defense to effectively mitigate advanced misclassification attacks in transfer learning systems.

Findings

Student models with 5 differentiators resist over 90% of adversarial inputs

Defense maintains less than 10% accuracy loss on recognition tasks

Outperforms previous defense methods in robustness and efficiency

Abstract

Transfer learning is prevalent as a technique to efficiently generate new models (Student models) based on the knowledge transferred from a pre-trained model (Teacher model). However, Teacher models are often publicly available for sharing and reuse, which inevitably introduces vulnerability to trigger severe attacks against transfer learning systems. In this paper, we take a first step towards mitigating one of the most advanced misclassification attacks in transfer learning. We design a distilled differentiator via activation-based network pruning to enervate the attack transferability while retaining accuracy. We adopt an ensemble structure from variant differentiators to improve the defence robustness. To avoid the bloated ensemble size during inference, we propose a two-phase defence, in which inference from the Student model is firstly performed to narrow down the candidate differentiators to be assembled, and later only a small, fixed number of them can be chosen to validate clean or reject adversarial inputs effectively. Our comprehensive evaluations on both large and small image recognition tasks confirm that the Student models with our defence of only 5 differentiators are immune to over 90% of the adversarial inputs with an accuracy loss of less than 10%. Our comparison also demonstrates that our design outperforms prior problematic defences.