Designing Secure and Robust Machine Learning Models
Alex Bardas
Fengjun Li
Cuncong Zhong
Xuemin Tu
With the growing computational power and the enormous data available from many sectors, applications with machine learning (ML) components are widely adopted in our everyday lives. One major drawback associated with ML models is hard to guarantee same performance with changing environment. Since ML models are not traditional software that can be tested end-to-end. ML models are vulnerable against distributional shifts and cyber-attacks. Various cyber-attacks against deep neural networks (DNN) have been proposed in the literature, such as poisoning, evasion, backdoor, and model inversion. In the evasion attacks against DNN, the attacker generates adversarial instances that are visually indistinguishable from benign samples and sends them to the target DNN to trigger misclassifications.
In our work, we proposed a novel multi-view adversarial image detector, namely ‘Argos’, based on a novel observation. That is, there exist two” souls” in an adversarial instance, i.e., the visually unchanged content, which corresponds to the true label, and the added invisible perturbation, which corresponds to the misclassified label. Such inconsistencies could be further amplified through an autoregressive generative approach that generates images with seed pixels selected from the original image, a selected label, and pixel distributions learned from the training data. The generated images (i.e., the “views”) will deviate significantly from the original one if the label is adversarial, demonstrating inconsistencies that ‘Argos’ expects to detect. To this end, ‘Argos’ first amplifies the discrepancies between the visual content of an image and its misclassified label induced by the attack using a set of regeneration mechanisms and then identifies an image as adversarial if the reproduced views deviate to a preset degree. Our experimental results show that ‘Argos’ significantly outperforms two representative adversarial detectors in both detection accuracy and robustness against six well-known adversarial attacks.