ICLR 2024: PUBDEF - Defending Against Transfer Attacks from Public Models

Abstract:

• Adversarial attacks pose a significant threat in the industry.
• A new practical threat model focusing on transfer attacks through publicly available surrogate models is proposed.
• Evaluation of transfer attacks and defense method based on game-theoretic perspective.

Introduction:

• ML models are fragile and susceptible to adversarial examples.
• Two defense strategies: systems-level defenses and ML-level defenses.

Threat Model:

• Definition of the TAPM threat model for transfer attacks from public models.
• Notation and evaluation of transfer attacks under this model.

Game-Theoretic Perspective:

• Description of simple and complex games for defender strategies against transfer attacks.

Practical Defense:

• Proposal of PUBDEF method for defending against transfer attacks from public models.
• Training details, source model selection, loss function, and results analysis provided.

Experiments:

• Setup details including metrics, baseline defenses comparison, source models selection, attack algorithms evaluation, and training process explained.

Results:

• PUBDEF outperforms previous defenses against transfer attacks with minimal drop in clean accuracy.

Discussion:

• Limitations and benefits of PUBDEF discussed along with practical considerations for deployment.