Robust Deep Learning Ensemble against Deception

TL;DR

This paper introduces XEnsemble, a novel ensemble verification framework that significantly enhances the robustness of deep neural networks against both adversarial attacks and out-of-distribution inputs by combining diverse data cleaning and disagreement-based ensemble techniques.

Contribution

XEnsemble is a new ensemble verification approach that integrates diverse input denoising and disagreement-based ensemble learning to defend against deception from adversarial and out-of-distribution inputs.

Findings

XEnsemble achieves high success rates in defending against eleven adversarial attacks.

It effectively detects out-of-distribution inputs with high accuracy.

Outperforms existing defense methods in robustness and defensibility.

Abstract

Deep neural network (DNN) models are known to be vulnerable to maliciously crafted adversarial examples and to out-of-distribution inputs drawn sufficiently far away from the training data. How to protect a machine learning model against deception of both types of destructive inputs remains an open challenge. This paper presents XEnsemble, a diversity ensemble verification methodology for enhancing the adversarial robustness of DNN models against deception caused by either adversarial examples or out-of-distribution inputs. XEnsemble by design has three unique capabilities. First, XEnsemble builds diverse input denoising verifiers by leveraging different data cleaning techniques. Second, XEnsemble develops a disagreement-diversity ensemble learning methodology for guarding the output of the prediction model against deception. Third, XEnsemble provides a suite of algorithms to combine input verification and output verification to protect the DNN prediction models from both adversarial examples and out of distribution inputs. Evaluated using eleven popular adversarial attacks and two representative out-of-distribution datasets, we show that XEnsemble achieves a high defense success rate against adversarial examples and a high detection success rate against out-of-distribution data inputs, and outperforms existing representative defense methods with respect to robustness and defensibility.