Orthogonal Deep Models As Defense Against Black-Box Attacks

TL;DR

This paper proposes a novel orthogonal gradient regularization technique to enhance deep model robustness against black-box adversarial attacks, demonstrating significant improvements across various models and attack types.

Contribution

The paper introduces a new gradient regularization method that enforces orthogonality between model representations, improving robustness without sacrificing accuracy.

Findings

Orthogonal models show increased resistance to black-box adversarial attacks.

Controlled gradient misalignment enhances model robustness.

Method is effective across multiple large-scale models.

Abstract

Deep learning has demonstrated state-of-the-art performance for a variety of challenging computer vision tasks. On one hand, this has enabled deep visual models to pave the way for a plethora of critical applications like disease prognostics and smart surveillance. On the other, deep learning has also been found vulnerable to adversarial attacks, which calls for new techniques to defend deep models against these attacks. Among the attack algorithms, the black-box schemes are of serious practical concern since they only need publicly available knowledge of the targeted model. We carefully analyze the inherent weakness of deep models in black-box settings where the attacker may develop the attack using a model similar to the targeted model. Based on our analysis, we introduce a novel gradient regularization scheme that encourages the internal representation of a deep model to be orthogonal to another, even if the architectures of the two models are similar. Our unique constraint allows a model to concomitantly endeavour for higher accuracy while maintaining near orthogonal alignment of gradients with respect to a reference model. Detailed empirical study verifies that controlled misalignment of gradients under our orthogonality objective significantly boosts a model's robustness against transferable black-box adversarial attacks. In comparison to regular models, the orthogonal models are significantly more robust to a range of $l_p$ norm bounded perturbations. We verify the effectiveness of our technique on a variety of large-scale models.