Ensemble Noise Simulation to Handle Uncertainty about Gradient-based Adversarial Attacks

DVERSARIAL attacks on neural networks pose a serious threat to safety-critical systems that rely on the high accuracies of these neural networks. The imperceptibility of additive evasion attacks makes it difficult to even detect their existence. Recent work has attempted to tackle this issue by designing defenses against such attacks, mostly focusing on a scenario where the assumption is that the attacker has significant knowledge of the victim classifier, and hence will design an attack to optimally destroy the accuracy of that particular classifier. However, there is no guarantee that the attacker will choose to do so. Furthermore, adversarial examples transfer across classifiers, and an adversary could take advantage of this property by crafting an attack based on a different classifier. The attacker would do this when having only partial knowledge about the victim classifier, or when attempting to confuse the defender on purpose. Alternatively, another scenario is that the attacker is limited in computational resources, and may be trying to attack multiple classifiers at once. This is why they would tailor the attack to only one classifier, and use that to attack all classifiers. R. Mahfuz, R. Sahay, and A. El Gamal are with the Department of Electrical and Computer Engineering, Purdue University, West Lafayette, IN, USA.