Immune Defense: A Novel Adversarial Defense Mechanism for Preventing the Generation of Adversarial Examples

TL;DR

This paper introduces immune defense, a novel method that applies carefully crafted perturbations to images to prevent the generation of adversarial examples, enhancing DNN security against both white-box and black-box attacks.

Contribution

It proposes a new example-based pre-defense mechanism called immune defense, including gradient-based, optimization-based, and black-box approaches, notably introducing MGSD for improved transferability.

Findings

Optimization-based approach outperforms in visual quality.

Gradient-based approach offers stronger transferability.

MGSD significantly enhances black-box attack resistance.

Abstract

The vulnerability of Deep Neural Networks (DNNs) to adversarial examples has been confirmed. Existing adversarial defenses primarily aim at preventing adversarial examples from attacking DNNs successfully, rather than preventing their generation. If the generation of adversarial examples is unregulated, images within reach are no longer secure and pose a threat to non-robust DNNs. Although gradient obfuscation attempts to address this issue, it has been shown to be circumventable. Therefore, we propose a novel adversarial defense mechanism, which is referred to as immune defense and is the example-based pre-defense. This mechanism applies carefully designed quasi-imperceptible perturbations to the raw images to prevent the generation of adversarial examples for the raw images, and thereby protecting both images and DNNs. These perturbed images are referred to as Immune Examples (IEs). In the white-box immune defense, we provide a gradient-based and an optimization-based approach, respectively. Additionally, the more complex black-box immune defense is taken into consideration. We propose Masked Gradient Sign Descent (MGSD) to reduce approximation error and stabilize the update to improve the transferability of IEs and thereby ensure their effectiveness against black-box adversarial attacks. The experimental results demonstrate that the optimization-based approach has superior performance and better visual quality in white-box immune defense. In contrast, the gradient-based approach has stronger transferability and the proposed MGSD significantly improve the transferability of baselines.