Defenses in Adversarial Machine Learning: A Survey

TL;DR

This survey systematically reviews defense strategies against adversarial attacks in machine learning, categorizing methods across the entire ML system lifecycle to enhance understanding and inspire future robust defense development.

Contribution

It introduces a unified, lifecycle-based taxonomy for defense paradigms, facilitating comprehensive analysis and comparison of existing methods in adversarial ML defenses.

Findings

Provides a complete taxonomy of defense methods at five ML system stages

Analyzes connections and differences among defense paradigms

Facilitates understanding of defense mechanisms and future research directions

Abstract

Adversarial phenomenon has been widely observed in machine learning (ML) systems, especially in those using deep neural networks, describing that ML systems may produce inconsistent and incomprehensible predictions with humans at some particular cases. This phenomenon poses a serious security threat to the practical application of ML systems, and several advanced attack paradigms have been developed to explore it, mainly including backdoor attacks, weight attacks, and adversarial examples. For each individual attack paradigm, various defense paradigms have been developed to improve the model robustness against the corresponding attack paradigm. However, due to the independence and diversity of these defense paradigms, it is difficult to examine the overall robustness of an ML system against different kinds of attacks.This survey aims to build a systematic review of all existing defense paradigms from a unified perspective. Specifically, from the life-cycle perspective, we factorize a complete machine learning system into five stages, including pre-training, training, post-training, deployment, and inference stages, respectively. Then, we present a clear taxonomy to categorize and review representative defense methods at each individual stage. The unified perspective and presented taxonomies not only facilitate the analysis of the mechanism of each defense paradigm but also help us to understand connections and differences among different defense paradigms, which may inspire future research to develop more advanced, comprehensive defenses.