Ensemble of Models Trained by Key-based Transformed Images for Adversarially Robust Defense Against Black-box Attacks

TL;DR

This paper introduces a voting ensemble of key-based transformed models to improve adversarial robustness against black-box attacks, achieving high accuracy and low attack success rates on CIFAR-10.

Contribution

It presents a novel ensemble method using multiple key-based transformed models to enhance black-box attack defenses, surpassing existing methods.

Findings

Achieves 95.56% accuracy on clean images

Less than 9% attack success rate under strong attacks

Effective against state-of-the-art black-box attacks

Abstract

We propose a voting ensemble of models trained by using block-wise transformed images with secret keys for an adversarially robust defense. Key-based adversarial defenses were demonstrated to outperform state-of-the-art defenses against gradient-based (white-box) attacks. However, the key-based defenses are not effective enough against gradient-free (black-box) attacks without requiring any secret keys. Accordingly, we aim to enhance robustness against black-box attacks by using a voting ensemble of models. In the proposed ensemble, a number of models are trained by using images transformed with different keys and block sizes, and then a voting ensemble is applied to the models. In image classification experiments, the proposed defense is demonstrated to defend state-of-the-art attacks. The proposed defense achieves a clean accuracy of 95.56 % and an attack success rate of less than 9 % under attacks with a noise distance of 8/255 on the CIFAR-10 dataset.