Morphence: Moving Target Defense Against Adversarial Examples

TL;DR

Morphence introduces a moving target defense mechanism for machine learning models by regularly changing the decision function through a pool of models, significantly enhancing robustness against adversarial attacks while maintaining accuracy on clean data.

Contribution

The paper proposes Morphence, a novel dynamic defense approach that uses a pool of models to make adversarial attacks more difficult by continuously shifting the decision boundary.

Findings

Morphence outperforms adversarial training against strong white-box attacks.

It maintains high accuracy on clean data.

Effective on MNIST and CIFAR10 datasets.

Abstract

Robustness to adversarial examples of machine learning models remains an open topic of research. Attacks often succeed by repeatedly probing a fixed target model with adversarial examples purposely crafted to fool it. In this paper, we introduce Morphence, an approach that shifts the defense landscape by making a model a moving target against adversarial examples. By regularly moving the decision function of a model, Morphence makes it significantly challenging for repeated or correlated attacks to succeed. Morphence deploys a pool of models generated from a base model in a manner that introduces sufficient randomness when it responds to prediction queries. To ensure repeated or correlated attacks fail, the deployed pool of models automatically expires after a query budget is reached and the model pool is seamlessly replaced by a new model pool generated in advance. We evaluate Morphence on two benchmark image classification datasets (MNIST and CIFAR10) against five reference attacks (2 white-box and 3 black-box). In all cases, Morphence consistently outperforms the thus-far effective defense, adversarial training, even in the face of strong white-box attacks, while preserving accuracy on clean data.