Hindering Adversarial Attacks with Multiple Encrypted Patch Embeddings

TL;DR

This paper introduces a new key-based defense mechanism using multiple encrypted patch embeddings and optional randomization to improve robustness against adversarial attacks on large datasets like ImageNet.

Contribution

It enhances previous key-based defenses with efficient training and randomization, increasing robustness and maintaining accuracy against adaptive adversarial attacks.

Findings

Achieves high robust accuracy on ImageNet

Maintains comparable clean accuracy

Effective against adaptive attacks

Abstract

In this paper, we propose a new key-based defense focusing on both efficiency and robustness. Although the previous key-based defense seems effective in defending against adversarial examples, carefully designed adaptive attacks can bypass the previous defense, and it is difficult to train the previous defense on large datasets like ImageNet. We build upon the previous defense with two major improvements: (1) efficient training and (2) optional randomization. The proposed defense utilizes one or more secret patch embeddings and classifier heads with a pre-trained isotropic network. When more than one secret embeddings are used, the proposed defense enables randomization on inference. Experiments were carried out on the ImageNet dataset, and the proposed defense was evaluated against an arsenal of state-of-the-art attacks, including adaptive ones. The results show that the proposed defense achieves a high robust accuracy and a comparable clean accuracy compared to the previous key-based defense.