Deep learning has increasingly become ubiquitous in Cloud offerings, Internet of Things, and cyber-physical systems. However, deep neural networks (DNNs) are vulnerable to adversarial examples , which are artifacts generated by adding human-imperceptible distortions to the benign inputs to fool the target DNN model to misclassify randomly or purposefully. A growing number of attacks has been reported in the literature to generate adversarial examples of varying sophistication. As more defense methods are being proposed, the attack-defense arms race has accelerated the development of more aggressive attacks, and developing effective defenses are shown to be substantially harder than designing new attacks [2, 3, 4]. How to protect deep learning systems against adversarial input attacks has become a pressing challenge.
In this paper we present a cross-layer strategic ensemble defense approach with three original contributions. First, we develop the input transformation based ensemble algorithms by leveraging diverse input noise reduction techniques. Second, we develop the output model ensemble algorithms by utilizing model-disagreement diversity to create multiple failure independent model verifiers. Third, we create an input-output cross-layer strategic ensemble defense method that strengthens the robustness of our cross-layer ensemble by combining diverse input transformation ensembles with diverse output model ensembles. Due to the space limit, we only evaluate 10 representative attacks on ImageNet dataset. The results show that our cross-layer strategic ensemble defense can achieve high defense success rates, and is more robust with high attack prevention success rates and low benign false negative rates, compared to existing representative defense approaches.
Ii-a Characterization of Adversarial Attacks
Adversarial examples can be generated by the black-box access to the prediction API of the target model being attacked . In this paper, we measure the adversarial effect of attacks by the attack success rate, the misclassification rate, and the attack confidence, and measure the cost of an attack by the perturbation distance, the perception distance, and the average time to generate one adversarial example.
Attack Success Rate (ASR) is defined as the percentage of successful adversarial examples over all attack inputs.
Misclassification Rate (MR) is defined as the percentage of misclassified adversarial examples over all attack inputs.
Mean confidence on adversarial class (AdvConf) is defined as the mean confidence on the adversarial class of successful adversarial examples number of successful adversarial examples.
Perturbation Distance Cost (DistPerturb) is defined by the root mean square deviation between benign input and its adversarial counterpart .
Perception Distance Cost (DistPercept) measures the perception distance of successful adversarial examples by applying the human perception distance metrics in .
Time cost (Time): The per-example generation time for each adversarial attack is measured in seconds.
shows the experimental results of 12 attacks on the ImageNet, containing 1.2 million training images and 50000 validation images in 1000 classes. All experiments are conducted on an Intel 4 core i5-7200U CPU@2.50GHz server with a Nvidia Geforce 1080Ti GPU. We select a pre-trained model with a competitive prediction accuracy for the dataset, and target model trained on ImageNet using TensorFlow MobileNet has a validation accuracy of 0.695. We consider queries with pre-generated adversarial examples by building our attack system on top of the EvadeML-Zoo. The first 100 correctly predicted benign examples in the validation set are selected for the attack experiments. We consider a total of 12 representative attacks, two of which are untargeted attacks (UA): Fast Gradient Sign Method (FGSM ), Basic Iterative Method(BIM ). The other ten are targeted attacks from five attack algorithms: targeted FGSM(TFGSM), targeted BIM (TBIM), and Carlini Wagner attacks (CW, CW, CW ). , , and
are the three perturbation norms. We use two representative types of attack targets: the most-likely attack class in the prediction vector (, most) and the least-likely attack class (, LL). is the correct class for input . We run experiments of all 12 attacks on ImageNet. The is set to 0.0078 for FGSM as small is sufficient to cause high attack SR. For BIM, the per step is 0.002, and the maximum is 0.004. For CW attacks, the attack confidence is set to 5 and the maximum optimization iteration is set to 1000. The adversarial example is fed into the target ML model every 100 iterations of optimization to check if the attack is successful. We make three observations. (1) Attacks that have higher ASR, though may take longer time, do not directly correlate to the amount of perturbation distortion in distance and perception. (2) Given the same attack target model, for CW and JSMA attacks, the least likely (LL) target cost more time and larger distortions, but this is not true for other attacks, showing the divergence behavior of different attack methods [9, 10]
. (3) All attacks also exhibit certain divergence behavior in terms of attack effect. Two examples of the same class under the same attack often result in two diverse destination classes (untargeted) or one successful and one failed (targeted). For the same attack method, the divergence of attack effect varies notably for the classifier trained using different DNN models over the same training dataset.
Ii-B Existing Defenses and Limitations
Existing defenses are classified into 3 broad categories: adversarial training, gradient masking, and input transformation.
Adversarial training is a class of defense techniques that aim to improve the generalization of a trained model (the target classifier) against known attacks at prediction (test) time by retraining the target model using both benign training set and adversarial examples generated using known attacks . The improved robustness is limited to the known adversarial attack algorithms that generate adversarial examples used in training the target classifier .
Gradient masking refers to the defense techniques that hide gradient information from an adversary, aiming to reduce the sensitivity of a trained model to small changes in input data .
Input transformation refers to the defenses that reduce the sensitivity of the target model to small input changes by applying careful noise reduction to the input data before sending it to the target model for prediction by employing some popular image preprocessing techniques like binary filters and median smoothing filters are employed in .
Limitations of Existing Defenses.
(1) The performance of existing defense methods is sensitive to the magic parameters inherent in their design, such as the percentage of adversarial examples in a batch in adversarial training, the temperature in Defensive Distillation, the detection threshold trained on benign dataset and adversarial inputs in both input transformation and denoising auto-encoder detector defense. Such dataset-specific and/or attack algorithm-specific control parameters make the defense methods non-adaptive. (2) The detection-only methods, though useful to flag the suspicious inputs with high detection success rate, are considered as passive defenses, not able to make the ML component survive its routine function under attack. Such defenses may not be suitable for applications that cannot tolerate real-time interruptions, such as self-driving cars, disease diagnosis.
Ii-C Solution Approach
We argue that a robust defense should be attack-independent and can generalize over the attack algorithms, and should not depend on finding the attack-specific or dataset-specific control knob (threshold) to distinguish adversarial inputs from benign inputs. We design our strategic ensemble defense algorithms with three objectives. First, our defense algorithms should be attack-independent, capable of auto-repairing and auto-verifying the target model being attacked, and can generalize over different attacks. Second, our defense algorithm should be transparent to the users of the target learning system, with no modification to the application interface (API) used for prediction (testing). Finally, the runtime defense execution at the prediction phase should be efficient to meet the real-time requirements. The following metrics are used to measure and compare each defense method.
Prevention Success Rate (PSR): The percentage of the adversarial examples that are repaired and correctly classified by the target model under defense.
Detection Success Rate (TSR): The percentage of adversarial examples that could not be repaired but are correctly flagged as the attack example by the defense system.
Defense Success Rate (DSR): The percentage of adversarial examples that are either repaired or detected. DSR = PSR + TSR.
False Positive Rate (FP): The percentage of the adversarial examples that can be correctly classified (repaired) but are flagged as adversarial when all inputs are adversarial examples. For the benign test set, we use BFP to represent the percentage of the correctly classified benign examples being flagged as adversarial.
Iii Input Transformation Ensemble
Iii-a Exploiting Input Denoising Diversity
The main goal of developing input-transformation ensemble methods is to apply data modality specific input noise reduction techniques to clean the input to the target model, aiming to remove adversarial perturbations. We argue that the input noise reduction techniques should be chosen to preserve certain verifiable properties, such as the test accuracy of the target model on benign inputs, while capable of removing the adverse effect from an adversarial input. Image smoothing and image augmentation are common techniques for image noise reduction. The former includes pixel quantization by color bit depth reduction, local spatial smoothing, and non-local spatial smoothing. The latter includes image rotation, image cropping, and rescaling, image quilting and compression.
Rotation: As a standard image geometric transformation technique provided in SciPy library , rotation preserves the geometric distance of the image and does not change the neighborhood information for most of the pixels except for the corner cases. In our prototype defense, the rotation degree is varied from -12 to 12 with an interval of 3 degree.
Color-depth reduction: It reduces the color depth of 8 bits ( values) to bits ( values). If , then the bit quantization will replace the [0,255] space to 1-bit encoding with 2 values: it takes 0 when the nearby pixel value is smaller than 127 and takes 1 when pixel values are in the range of [128, 255]. We use quan--bit to denote the quantization of the input image from the original 8-bit encoded color depth to -bit ().
Local spatial smoothing: It uses nearby pixels to smooth each pixel, with Gaussian, mean or median smoothing [13, 14]. A median filter runs a sliding window over each pixel of the image, where the center pixel is replaced by the median value of the neighboring pixels within the window. The size of the window is a configurable parameter, ranging from 1 up to the image size. MedFilter- denotes the median filter with neighborhood kernel size . A square shape window size, e.g., or
, is often used with reflect padding.
Non-local spatial smooth (NLM): It smooths over similar pixels by exploring a larger neighborhood ( search window) instead of just nearby pixels and replaces the center patch (say size of ) with the (Gaussian) weighted average of those similar patches in the search window [15, 16]. NLM--- denotes non-local means smoothing filter with searching window size , patch size
and Gaussian distribution parameter. NLM 11-2-4 refers to the NLM filter with search window, patch size and the filter strength of 4.
Unlike adversarial input which injects a small amount of crafted noise to selected pixels in each benign image, input transformation is applied to entire image uniformly, which utilizes the inconsistency of the adversarial examples in terms of the location and the amount of noise to make the perturbation less or no longer effective. As the prerequisite for the transformation algorithm selection, all positive examples should be remain positive under different input transformation techniques. Also each negative example tends to be negative in its own way and each adversarial example is destructive in its own way. Hence, different input transformation techniques tend to have different noise reduction effect on adversarial inputs. Strategic ensemble of multiple input transformation techniques can provide robust defense by exploiting noise reduction diversity.
Assume that we have a pool of diverse candidate transformation techniques of size , by selecting () input transformation techniques out of , we obtain different versions for each input example. The strategic ensemble of input transformation techniques is to find those that can effectively complement one another on negative examples. A primary criterion for the candidate selection is the high test accuracy on benign test set compared to the test accuracy of the original input example. Time cost could be another criterion. For example, the rotation matrix has a simple and fast transformation. It takes only 0.19s to rotate a color image, compared to 6s for median filter and 59s for non-local filter on the same image. In contrast, generating an adversarial example using CW attack family are order of magnitude more expensive with CW at 1323 seconds on average to generate an adversarial example and CW at 662795 seconds per input example on average.
To verify our analysis, we conduct experiments for the four types of input transformation methods on the benign validation set ImageNet, as well as the adversarial examples generated by all 10 attacks. The benign test accuracy is used as a reference to choose the input transformation method that preserves the competitive test accuracy on the noise reduced version of the benign test set. Table 2 shows the results. We observe several interesting facts. First, employing an input transformation technique can improve the robustness of the target model under attack. However, no single method effective across all 10 attacks. Second, the least-likely attacks are relatively easier to defend than the most-likely attacks. One reason could be that the perturbation in the least-likely attacks is larger and the noise reduction may work more effectively. Finally, strategic ensemble of different input transformation techniques, especially those that have competitive benign test accuracy, can provide good average robustness over the 10 attacks.
|ensemble formation||team strategy||FGSM||BIM||CW||CW||CW||BFP||PSR||TSR||DSR|
Table 3 shows the input transformation ensemble results on the ImageNet dataset. The first row shows that our strategic teaming algorithm is attack-independent with average DSR of 83.5% over 10 attacks for ImageNet. Next, we compare our results with the design of our attack-independent version of detection-only defense using the fixed upper bound (say ) or the fixed lower bound (say ). Conceptually, either an upper bound threshold that is above 1 or close to 2, or a lower bound threshold that is lower than 1 or close to zero, can be used as the detection threshold. We compute the distance between the prediction vector of each denoised version with the prediction vector of its original input . If the distance above the detection-threshold (either upper or lower fixed bound), we flag it as adversarial input. We also include the attack-dependent detection-only method , which uses adversarial example to set the adversarial detection thresholds. We use the best combo identified in  in this comparison. We make two observations from Table 3: (1) Adversarial example-based threshold detection on attack examples and benign test set can provide high DSR for the detection-only methods ((DSR=TSR). The adversarial threshold of 1.693, can achieve high DSR of 80.6% for ImageNet. (2) Using attack-independent fixed upper or lower bound threshold, adversarial examples can be flagged with reasonable detection success rate (TSR) but at the cost of higher BFP.
Figure 1 provide an example illustration of three diverse input transformation methods on an ImageNet test example of hen under six scenarios: no attack (benign), two untargeted attacks and three targeted attacks. It shows the effectiveness of the input transformation ensemble for this example input. However, for some examples of ImageNet, these three input transformation techniques may not be as effective as this case, which is one of the primary motivation for us to develop the output verification model ensemble as an alternative joint force to the input transformation ensemble defense.
Iv Output Verification Model Ensemble
The main objective of the output-layer verification model ensemble is to protect the target model (TM) with the capability to verify and repair the prediction outcome of TM using multiple failure-independent model verifiers and to use the ensemble-approved prediction as the final output of the target model (TM). We exploit the model disagreement diversity to the output-layer strategic model ensembles. First, we select the baseline candidate models based on a number of criteria, such as high test accuracy, which should be comparable to that of the target model on benign test set, and high model diversity on disagreement measures, such as Kappa()-statistics for each pair of the baseline models. Let denote the cardinality of the prediction result set, denote the number of classes, denote the number of instances in the dataset that are labeled as class by one model and as class by the other model. metric is defined as:
In Equation 1, denotes the agreement percentage, i.e., the percentage of agreement made by the two classifiers and under the same series of queries. denotes the chance agreement in which the is any label in the output space. The metric is pair-wise metric. The closer the metric is to 1, the more agreements are made by the two models. The closer the metric is to 0, the more diverse the two models are in terms of disagreement.
The baseline candidate verification models are selected first based on their test accuracy. For ImageNet, MobileNet is the target model, we select four pre-trained DNN classifiers: VGG-16, VGG-19, ResNet-50 and Inception-V3 as the baseline candidate models for illustration in this paper. We compute the Kappa() for each pair of the candidate models in the baseline model pool of five models: the target model (TM) and four defense models (DMs). Then we build the kappa-ranked list of Kappa-diverse ensembles by the increasing order of the average pairwise Kappa value for each team. For a pool of 5 models, the total combination of ensembles of size 3 or higher is 60 (543). To avoid low quality ensemble that has low diversity, we select the top Kappa team by removing those ensembles that have high value. We get the top three most diverse ensemble teams as the diverse ensemble pool, which are the ensemble teams with the top three lowest average pairwise Kappa values: (DM 1, 3); (DM 1, 3, 4), and (DM 1, 2, 3, 4).
|rot_6 + Best||0.89||0.89||0.96||1||1||1||1||0.93||0.96||0.99||0.97|
To compare the robustness of different model teaming defense algorithms, we conduct a set of experiments using all 10 attacks on ImageNet. We include in our comparison the target model and four individual DMs for ImageNet and three output verification model ensemble teams: random ensemble from the baseline model pool, random ensemble and the best ensemble. Table 4 reports the results. First, we observe that the target model has either zero or close to zero test accuracy. Second, each individual defense model (DM) has higher test accuracy under all 10 attacks untargeted attacks. Third, the test accuracy of DMs under targeted attacks is higher than that under untargeted attack. The reason that the four DM models provide better robustness over all 10 attacks compared to the TM is two folds: (1) The adversarial examples are generated over the black box access to the prediction API of the target model (TM). (2) The adverse effect of these adversarial examples on each of the four defense models (DMs) is due to the transferability of adversarial examples . Finally, the best model ensemble is most effective over all 10 attacks in terms of average DSR (test/prediction accuracy), and all three strategic output ensemble teams are more robust against adversarial examples regardless whether it is the random base ensemble, or the random ensemble from the pool of ranked teams, or the Best ensemble. The last four defense ensembles are formulated by our cross-layer strategic ensemble selection methods, which we discuss in the next section.
|Input Transformation Ensemble||0.75||0.53||0.64||0.75||0.96||0.90||0.92||0.89||0.93||0.87||0.89|
|Output Model Ensemble||0.805||0.94||0.93||0.97||0.95||0.96||0.96||0.95||0.95||0.91||0.97|
|Cross-layer Strategic Ensemble||0.825||0.89||0.94||0.96||0.96||0.96||0.93||0.93||0.96||0.96||0.98|
V Input-Output Cross-Layer Strategic Teaming
Our cross-layer strategic ensemble defense method is designed to combine the input-layer transformation ensemble with the output-layer model verification ensemble by maximizing the disagreement diversity (failure independence).
We use the notation inpu-transformation output ensemble to denote the cross-layer strategic ensemble that performs input transformation followed by model ensemble verification. We use the notation input-transformation output model ensemble to denote the second type of cross-layer ensemble co-defense strategy. For example, med 2*2 Rand denotes the transformed input of by med 2*2 filer is sent to only the TM and the original input is sent to the output-layer model ensemble verification team, which output the cross-layer defense-approved prediction result.
We compare four cross-layer strategic ensemble defense algorithms over all 10 attacks on ImageNet and report the results in the last four rows of Table 4. For ImageNet, most of the cross-layer ensemble defense teams performs well compared to the top performing input-layer transformation ensembles and the top performing output-layer model verification ensembles, though in some cases, the output model ensemble along can be more effective, such as RandBase: DM 1,2,3 and best DM: 1,3,4 under FGSM attack and CW attack. This also indicates that the input transformation method rot_6 may not complement well with the output-layer model ensemble. One of our ongoing research is to investigate good criteria for most robust cross-layer ensemble formation.
Vi Comparison with Existing Defense Approaches
We conduct the experiments to compare our strategic ensemble approach with the representative defense methods in three broad categories: Adversarial Training(AdvTrain) , Defensive Distillation(DefDistill)  and Input Transformation Ensemble(EnsTrans) . We did not find pre-trained models on ImageNet with the adversarial training or defensive distillation defense and the Intel 4 core i5-7200U CPU@2.50GHz server with the Nvidia Geforce 1090Ti GPU with 3000+ units were not able to complete the adversarial training or the defensive distillation powered training on ImageNet. Thus, we include CIFAR-10 in this set of comparison experiments. For ImageNet, we only compare the strategic teaming defense with Input Transformation Ensemble. Table 5 shows the results. For adversarial training, we use adversarial examples generated from FGSM with random from for CIFAR-10. For defensive distillation, the temperature is set to 50 for CIFAR-10. The input transformation ensemble has two parameters for both datasets: the ensemble size and the crop size , and it computes multiple randomly cropped-and-padded input image ( times) using the given crop size. In our experiments, the ensemble size is set to 10 for both ImageNet and CIFAR-10, and the crop size is set to 28 for CIFAR-10 and 196 for ImageNet according to the recommended settings in . This set of experiments shows that (1) our cross-layer strategic ensemble approach consistently outperforms the existing defense approaches over all 10 attacks on both datasets; and (2) for CIFAR-10, our strategic teaming achieves 96.5% average DSR compared to 73.3% average DSR by the defensive distillation, the best among the three representative existing defense methods. For ImageNet, our output-layer strategic ensemble achieves 95.1% average DSR, and our cross-layer strategic ensemble achieves 94.1%, both are much better than the ensemble input transformation approach (72.8% average DSR). Even our input-transformation ensemble alone achieves 79.7% average DSR, compared to 72.8% average DSR by the ensemble input transformation. This further demonstrates the robustness of our diversity-enhanced strategic ensemble algorithms for defense against adversarial examples.
We have presented a cross-layer strategic ensemble defense approach by combining input transformation ensembles with output verification model ensembles by promoting and guaranteeing ensemble diversity. Our strategic ensemble approach is attack-independent, generalize well over attack algorithms, and is capable of auto-repairing and auto-verifying the target model being attacked. Evaluated using ImageNet and CIFAR-10 over 10 representative attacks, we show that our cross-layer ensemble defense algorithms can achieve high defense success rates, i.e., high test accuracy in the presence of adversarial attacks, and are more robust compared to existing representative defense methods, with high attack prevention success rates (PSR) and low benign false negative rates (BFP). Our ongoing research continues along two dimensions:(1)Developing theoretical foundation for cross-layer strategic ensemble formulation algorithms with verifiable robustness; and (2) Incorporating new generations of attack algorithms, and new generations of defense methods in the empirical comparison framework.
This work is partially sponsored by NSF CISE SaTC grant 1564097 and an IBM faculty award.
-  I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples (2014),” in International Conference on Learning Representations, 2015.
-  I. Goodfellow, “Defense against the dark arts: An overview of adversarial example security research and future research directions,” CVPR 2018 workshop on challenges and opportunities for privacy and security., 2018.
N. Papernot, P. McDaniel, A. Sinha, and M. P. Wellman, “Sok: Security and privacy in machine learning,” in2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018, pp. 399–414.
B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,”Pattern Recognition, vol. 84, pp. 317–331, 2018.
B. Luo, Y. Liu, L. Wei, and Q. Xu, “Towards imperceptible and robust
adversarial example attacks against neural networks,” in
Thirty-Second AAAI Conference on Artificial Intelligence, 2018.
-  W. Xu, D. Evans, and Y. Qi, “Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks,” in Proceedings of the 2018 Network and Distributed Systems Security Symposium (NDSS), 2018.
-  A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in International Conference on Learning Representations, 2017.
-  N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 39–57.
-  W. Wei, L. Liu, M. Loper, S. Truex, L. Yu, M. E. Gursoy, and Y. Wu, “Adversarial examples in deep learning: Characterization and divergence,” arXiv preprint arXiv:1807.00051, 2018.
-  L. Liu, W. Wei, K.-H. Chow, M. Loper, E. Gursoy, S. Truex, and Y. Wu, “Deep neural network ensembles against deception: Ensemble diversity, accuracy and robustness,” in the 16th IEEE International Conference on Mobile Ad-Hoc and Smart Systems, 2019.
-  N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016, pp. 582–597.
-  R. Szeliski, Computer vision: algorithms and applications. Springer Science & Business Media, 2010.
-  A. Buades, B. Coll, and J.-M. Morel, “A non-local algorithm for image denoising,” in IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR’05), vol. 2. IEEE, 2005, pp. 60–65.
-  M. L. McHugh, “Interrater reliability: the kappa statistic,” Biochemia medica: Biochemia medica, vol. 22, no. 3, pp. 276–282, 2012.
-  N. Papernot, P. McDaniel, and I. Goodfellow, “Transferability in machine learning: from phenomena to black-box attacks using adversarial samples,” arXiv preprint arXiv:1605.07277, 2016.
-  C. Xie, J. Wang, Z. Zhang, Z. Ren, and A. Yuille, “Mitigating adversarial effects through randomization,” in International Conference on Learning Representations, 2018.