Morphence: Moving Target Defense Against Adversarial Examples

Annual Computer Security Applications Conference Pub Date : 2021-08-31 DOI:10.1145/3485832.3485899

Abderrahmen Amich, Birhanu Eshete

{"title":"Morphence: Moving Target Defense Against Adversarial Examples","authors":"Abderrahmen Amich, Birhanu Eshete","doi":"10.1145/3485832.3485899","DOIUrl":null,"url":null,"abstract":"Robustness to adversarial examples of machine learning models remains an open topic of research. Attacks often succeed by repeatedly probing a fixed target model with adversarial examples purposely crafted to fool it. In this paper, we introduce Morphence, an approach that shifts the defense landscape by making a model a moving target against adversarial examples. By regularly moving the decision function of a model, Morphence makes it significantly challenging for repeated or correlated attacks to succeed. Morphence deploys a pool of models generated from a base model in a manner that introduces sufficient randomness when it responds to prediction queries. To ensure repeated or correlated attacks fail, the deployed pool of models automatically expires after a query budget is reached and the model pool is seamlessly replaced by a new model pool generated in advance. We evaluate Morphence on two benchmark image classification datasets (MNIST and CIFAR10) against five reference attacks (2 white-box and 3 black-box). In all cases, Morphence consistently outperforms the thus-far effective defense, adversarial training, even in the face of strong white-box attacks, while preserving accuracy on clean data and reducing attack transferability.","PeriodicalId":175869,"journal":{"name":"Annual Computer Security Applications Conference","volume":"47 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-08-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3485832.3485899","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

Robustness to adversarial examples of machine learning models remains an open topic of research. Attacks often succeed by repeatedly probing a fixed target model with adversarial examples purposely crafted to fool it. In this paper, we introduce Morphence, an approach that shifts the defense landscape by making a model a moving target against adversarial examples. By regularly moving the decision function of a model, Morphence makes it significantly challenging for repeated or correlated attacks to succeed. Morphence deploys a pool of models generated from a base model in a manner that introduces sufficient randomness when it responds to prediction queries. To ensure repeated or correlated attacks fail, the deployed pool of models automatically expires after a query budget is reached and the model pool is seamlessly replaced by a new model pool generated in advance. We evaluate Morphence on two benchmark image classification datasets (MNIST and CIFAR10) against five reference attacks (2 white-box and 3 black-box). In all cases, Morphence consistently outperforms the thus-far effective defense, adversarial training, even in the face of strong white-box attacks, while preserving accuracy on clean data and reducing attack transferability.

查看原文本刊更多论文

Morphence:针对敌对例子的移动目标防御

机器学习模型对抗性例子的鲁棒性仍然是一个开放的研究主题。攻击通常是通过反复探测一个固定的目标模型，故意用敌对的例子来欺骗它。在本文中，我们介绍了Morphence，这是一种通过将模型作为对抗示例的移动目标来改变防御格局的方法。通过定期移动模型的决策函数，Morphence极大地挑战了重复或相关攻击的成功。Morphence部署了一个从基本模型生成的模型池，在响应预测查询时引入了足够的随机性。为确保重复攻击或关联攻击失败，在达到查询预算后，已部署的模型池自动失效，模型池被提前生成的新模型池无缝替换。我们在两个基准图像分类数据集(MNIST和CIFAR10)上对5种参考攻击(2种白盒攻击和3种黑盒攻击)进行了Morphence评估。在所有情况下，Morphence始终优于迄今为止有效的防御，对抗性训练，即使面对强大的白盒攻击，同时保持干净数据的准确性并减少攻击的可转移性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Annual Computer Security Applications Conference

自引率

0.00%

发文量