Dynamic Defense Approach for Adversarial Robustness in Deep Neural Networks via Stochastic Ensemble Smoothed Model

TL;DR

This paper introduces a dynamic defense method for deep neural networks that uses stochastic ensemble smoothing with adaptable attributes to improve robustness against adversarial attacks, outperforming static defenses.

Contribution

It proposes a novel dynamic ensemble smoothing approach that adjusts model attributes before each inference to enhance adversarial robustness.

Findings

Ensemble smoothed model reduces attack success rate under white-box attacks.

Dynamic attribute adjustment improves defense effectiveness.

Method outperforms static ensemble defenses in experiments.

Abstract

Deep neural networks have been shown to suffer from critical vulnerabilities under adversarial attacks. This phenomenon stimulated the creation of different attack and defense strategies similar to those adopted in cyberspace security. The dependence of such strategies on attack and defense mechanisms makes the associated algorithms on both sides appear as closely reciprocating processes. The defense strategies are particularly passive in these processes, and enhancing initiative of such strategies can be an effective way to get out of this arms race. Inspired by the dynamic defense approach in cyberspace, this paper builds upon stochastic ensemble smoothing based on defense method of random smoothing and model ensemble. Proposed method employs network architecture and smoothing parameters as ensemble attributes, and dynamically change attribute-based ensemble model before every inference prediction request. The proposed method handles the extreme transferability and vulnerability of ensemble models under white-box attacks. Experimental comparison of ASR-vs-distortion curves with different attack scenarios shows that even the attacker with the highest attack capability cannot easily exceed the attack success rate associated with the ensemble smoothed model, especially under untargeted attacks.