Sign In

ICLR 2024: PUBDEF - Defending Against Transfer Attacks from Public Models

Core Concepts
Adversarial attacks are a significant threat, but defending against transfer attacks from public models is crucial for security-sensitive applications.
Abstract: Adversarial attacks pose a significant threat in the industry. A new practical threat model focusing on transfer attacks through publicly available surrogate models is proposed. Evaluation of transfer attacks and defense method based on game-theoretic perspective. Introduction: ML models are fragile and susceptible to adversarial examples. Two defense strategies: systems-level defenses and ML-level defenses. Threat Model: Definition of the TAPM threat model for transfer attacks from public models. Notation and evaluation of transfer attacks under this model. Game-Theoretic Perspective: Description of simple and complex games for defender strategies against transfer attacks. Practical Defense: Proposal of PUBDEF method for defending against transfer attacks from public models. Training details, source model selection, loss function, and results analysis provided. Experiments: Setup details including metrics, baseline defenses comparison, source models selection, attack algorithms evaluation, and training process explained. Results: PUBDEF outperforms previous defenses against transfer attacks with minimal drop in clean accuracy. Discussion: Limitations and benefits of PUBDEF discussed along with practical considerations for deployment.
PUBDEFは最強の転送攻撃に対して62%の精度を達成しました。 ImageNetで、最高の敵対的トレーニングモデルの36%に対して、PUBDEFは62%の精度を達成しました。
"Secure ML = Realistic threat model + Systems-level defenses + ML-level defenses against those threats"

Key Insights Distilled From

by Chawin Sitaw... at 03-19-2024

Deeper Inquiries




白箱攻撃やクエリベース攻撃への防御策も考慮されています。具体的には、白箱攻撃への弱点が認識されており、「Secure ML」アプローチでは現実的な脅威モデルとシステムレベルの防御策も重要視されています。ただし、PUBDEFは主に公開されたソースモデルからの転送攻撃への防御策として設計されており、他種類の攻撃手法(例:クエリ・バスド・アタック)やより広範囲な敵対的戦術へ完全な保護を提供するわけではありません。


この研究結果は実際のセキュリティアプリケーションで有益です。例えば、「Secure ML」フレームワーク内で使用すれば現実的かつ効果的なセキュリティ強化が可能です。「Real attackers don’t compute gradients」というコンセプトは実務家や産業界でも役立ちます。さらに、「Secure ML」フレームワーク自体が企業や組織が安全性確保戦略を展開する際に参考となる可能性があります。