TY - GEN
T1 - Defense Against Query-Based Black-Box Attack With Small Gaussian-Noise
AU - Zhu, Ziqi
AU - Zhu, Bin
AU - Zhang, Huan
AU - Geng, Yu
AU - Wang, Le
AU - Zhang, Denghui
AU - Gu, Zhaoquan
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Although deep neural networks (DNNs) show un-precedented performance in various tasks, the vulnerability brought by adversarial samples to the models can incur security concerns, such as causing accidents by automatic driving, or in industrial manufacturing. Due to the discrete nature of textual data and the limitation of real-world access to the model, more and more attacks focus on iterative query attacks under black-box scenarios. The core idea is to query the models frequently to obtain the mapping relations between different input samples and the outputs, which guides the attack's direction. Once we break down the input-output mapping relations, it will affect the attack's query and local search process, which enables the defense against such attacks. With this motivation, we add tiny noise to the input samples to break the mapping relationship obtained by black-box attacks and we name the defense method as Gaussian Noise Perturbation Defence (GNPD). We analyze how the noise hinders the attack theoretically and demonstrate the effectiveness of the defense method on two datasets and three language models. The experimental results corroborate our analysis and our method has little impact to the performance of the original model.
AB - Although deep neural networks (DNNs) show un-precedented performance in various tasks, the vulnerability brought by adversarial samples to the models can incur security concerns, such as causing accidents by automatic driving, or in industrial manufacturing. Due to the discrete nature of textual data and the limitation of real-world access to the model, more and more attacks focus on iterative query attacks under black-box scenarios. The core idea is to query the models frequently to obtain the mapping relations between different input samples and the outputs, which guides the attack's direction. Once we break down the input-output mapping relations, it will affect the attack's query and local search process, which enables the defense against such attacks. With this motivation, we add tiny noise to the input samples to break the mapping relationship obtained by black-box attacks and we name the defense method as Gaussian Noise Perturbation Defence (GNPD). We analyze how the noise hinders the attack theoretically and demonstrate the effectiveness of the defense method on two datasets and three language models. The experimental results corroborate our analysis and our method has little impact to the performance of the original model.
KW - adversarial defence
KW - deep learning
KW - query-based black-box attack
KW - text categorization
UR - https://www.scopus.com/pages/publications/85141369596
U2 - 10.1109/DSC55868.2022.00040
DO - 10.1109/DSC55868.2022.00040
M3 - 会议稿件
AN - SCOPUS:85141369596
T3 - Proceedings - 2022 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
SP - 249
EP - 256
BT - Proceedings - 2022 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 7th IEEE International Conference on Data Science in Cyberspace, DSC 2022
Y2 - 11 July 2022 through 13 July 2022
ER -