Adversarial Defense via Image Denoising with Chaotic Encryption
Shi Hu, Eric Nalisnick, Max Welling
TL;DR
This paper introduces a novel gray box adversarial defense combining image denoising with chaotic encryption, significantly improving robustness against adversarial attacks on CIFAR datasets.
Contribution
It proposes a new defense framework using image denoising and chaotic encryption with a private key, effective in gray box attack scenarios.
Findings
Outperforms state-of-the-art gray box defenses on CIFAR-10 and CIFAR-100.
Achieves higher natural and adversarial accuracy.
Effective against FGSM and PGD adversarial attacks.
Abstract
In the literature on adversarial examples, white box and black box attacks have received the most attention. The adversary is assumed to have either full (white) or no (black) access to the defender's model. In this work, we focus on the equally practical gray box setting, assuming an attacker has partial information. We propose a novel defense that assumes everything but a private key will be made available to the attacker. Our framework uses an image denoising procedure coupled with encryption via a discretized Baker map. Extensive testing against adversarial images (e.g. FGSM, PGD) crafted using various gradients shows that our defense achieves significantly better results on CIFAR-10 and CIFAR-100 than the state-of-the-art gray box defenses in both natural and adversarial accuracy.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Digital Media Forensic Detection · Bacillus and Francisella bacterial research