Morphence-2.0: Evasion-Resilient Moving Target Defense Powered by Out-of-Distribution Detection

TL;DR

Morphence-2.0 introduces a scalable moving target defense using out-of-distribution detection to dynamically change models, significantly improving robustness against adversarial attacks while maintaining accuracy on clean data.

Contribution

It presents a novel, scalable moving target defense framework that employs OOD detection and model pooling to thwart repeated adversarial probing effectively.

Findings

Outperforms prior defenses on MNIST and CIFAR10 datasets.

Reduces attack transferability and maintains high accuracy on clean data.

Enhances prediction accuracy through input-based model movement.

Abstract

Evasion attacks against machine learning models often succeed via iterative probing of a fixed target model, whereby an attack that succeeds once will succeed repeatedly. One promising approach to counter this threat is making a model a moving target against adversarial inputs. To this end, we introduce Morphence-2.0, a scalable moving target defense (MTD) powered by out-of-distribution (OOD) detection to defend against adversarial examples. By regularly moving the decision function of a model, Morphence-2.0 makes it significantly challenging for repeated or correlated attacks to succeed. Morphence-2.0 deploys a pool of models generated from a base model in a manner that introduces sufficient randomness when it responds to prediction queries. Via OOD detection, Morphence-2.0 is equipped with a scheduling approach that assigns adversarial examples to robust decision functions and benign samples to an undefended accurate models. To ensure repeated or correlated attacks fail, the deployed pool of models automatically expires after a query budget is reached and the model pool is seamlessly replaced by a new model pool generated in advance. We evaluate Morphence-2.0 on two benchmark image classification datasets (MNIST and CIFAR10) against 4 reference attacks (3 white-box and 1 black-box). Morphence-2.0 consistently outperforms prior defenses while preserving accuracy on clean data and reducing attack transferability. We also show that, when powered by OOD detection, Morphence-2.0 is able to precisely make an input-based movement of the model's decision function that leads to higher prediction accuracy on both adversarial and benign queries.