Timezone: »

Random Noise Defense Against Query-Based Black-Box Attacks
Zeyu Qin · Yanbo Fan · Hongyuan Zha · Baoyuan Wu

Tue Dec 07 08:30 AM -- 10:00 AM (PST) @ Virtual #None

The query-based black-box attacks have raised serious threats to machine learning models in many real applications. In this work, we study a lightweight defense method, dubbed Random Noise Defense (RND), which adds proper Gaussian noise to each query. We conduct the theoretical analysis about the effectiveness of RND against query-based black-box attacks and the corresponding adaptive attacks. Our theoretical results reveal that the defense performance of RND is determined by the magnitude ratio between the noise induced by RND and the noise added by the attackers for gradient estimation or local search. The large magnitude ratio leads to the stronger defense performance of RND, and it's also critical for mitigating adaptive attacks. Based on our analysis, we further propose to combine RND with a plausible Gaussian augmentation Fine-tuning (RND-GF). It enables RND to add larger noise to each query while maintaining the clean accuracy to obtain a better trade-off between clean accuracy and defense performance. Additionally, RND can be flexibly combined with the existing defense methods to further boost the adversarial robustness, such as adversarial training (AT). Extensive experiments on CIFAR-10 and ImageNet verify our theoretical findings and the effectiveness of RND and RND-GF.

Author Information

Zeyu Qin (The Chinese University of Hong Kong, Shenzhen)
Yanbo Fan (NLPR, CASIA)
Hongyuan Zha (Georgia Tech)
Baoyuan Wu (Tencent AI Lab)

More from the Same Authors