LISArD: Learning Image Similarity to Defend Against Gray-box Adversarial Attacks

--State-of-the-art defense mechanisms are typically evaluated in the context of white-box attacks, which is not realistic, as it assumes the attacker can access the gradients of the target network. T o protect against this scenario, Adversarial Training (A T) and Adversarial Distillation (AD) include adversarial examples during the training phase, and Adversarial Purification uses a generative model to reconstruct all the images given to the classifier . This paper considers an even more realistic evaluation scenario: gray-box attacks, which assume that the attacker knows the architecture and the dataset used to train the target network, but cannot access its gradients. We provide empirical evidence that models are vulnerable to gray-box attacks and propose LISArD, a defense mechanism that does not increase computational and temporal costs but provides robustness against gray-box and white-box attacks without including A T . Our method approximates a cross-correlation matrix, created with the embeddings of perturbed and clean images, to a diagonal matrix while simultaneously conducting classification learning. Our results show that LISArD can effectively protect against gray-box attacks, can be used in multiple architectures, and carries over its resilience to the white-box scenario. Also, state-of-the-art AD models underperform greatly when removing A T and/or moving to gray-box settings, highlighting the lack of robustness from existing approaches to perform in various conditions (aside from white-box settings). EEP Neural Networks (DNNs) have achieved remarkable performance in multiple areas, such as Medical Imaging [1], [2], Natural Language Processing [3], [4], and Active Speaker Detection [5]-[7]. This accomplishment led to the wide adoption of Artificial Intelligence in the daily lives of many people, either in work or leisure scenarios, increasing the attractiveness and susceptibility of DNNs to attackers. The study of DNN security is still in its early stages.