Dashed Line Defense: Plug-And-Play Defense Against Adaptive Score-Based Query Attacks

TL;DR

This paper introduces Dashed Line Defense, a novel plug-and-play method that enhances the robustness of deep learning models against adaptive score-based query attacks by introducing ambiguity in loss interpretation.

Contribution

The paper proposes DLD, a new post-processing defense that withstands adaptive attacks, with theoretical guarantees and superior empirical performance on ImageNet.

Findings

DLD effectively disrupts adaptive AE generation processes.

DLD outperforms prior defenses under worst-case adaptive attacks.

DLD maintains high accuracy while defending against sophisticated query strategies.

Abstract

Score-based query attacks pose a serious threat to deep learning models by crafting adversarial examples (AEs) using only black-box access to model output scores, iteratively optimizing inputs based on observed loss values. While recent runtime defenses attempt to disrupt this process via output perturbation, most either require access to model parameters or fail when attackers adapt their tactics. In this paper, we first reveal that even the state-of-the-art plug-and-play defense can be bypassed by adaptive attacks, exposing a critical limitation of existing runtime defenses. We then propose Dashed Line Defense (DLD), a plug-and-play post-processing method specifically designed to withstand adaptive query strategies. By introducing ambiguity in how the observed loss reflects the true adversarial strength of candidate examples, DLD prevents attackers from reliably analyzing and adapting their queries, effectively disrupting the AE generation process. We provide theoretical guarantees of DLD's defense capability and validate its effectiveness through experiments on ImageNet, demonstrating that DLD consistently outperforms prior defenses--even under worst-case adaptive attacks--while preserving the model's predicted labels.