π€ AI Summary
Deep neural networks are vulnerable to score-based adversarial attacks in black-box settings, and existing defenses are often either computationally expensive or offer limited efficacy. This work proposes Random Logit Scaling (RLS), a plug-and-play post-processing defense mechanism that randomly scales the modelβs logits at the output layer to mislead attackers, without requiring any architectural modifications. RLS is the first method to leverage randomized logit scaling specifically to counter black-box score-based attacks, substantially reducing the success rates of state-of-the-art attacks while preserving model accuracy and minimizing confidence distortion. Furthermore, the study exposes the vulnerability of the existing non-random defense AAA under adaptive attacks, thereby highlighting the superior robustness of RLS.
π Abstract
Machine learning models are increasingly adapted in various domains. However, adversarial examples pose a significant threat to the reliable deployment of these models. In recent years, some powerful adversarial example attacks have been proposed for the fast and query-efficient generation of adversarial examples, even in black-box scenarios, highlighting the need for scalable, low-cost, and powerful defenses. In this work, we present two contributions to the domain of black-box adversarial example attacks and defenses. First, we propose Random Logit Scaling (RLS), a randomization-based defense against black-box score-based adversarial example attacks. RLS is a plug-and-play, post-processing defense that can be implemented on top of any existing ML model with minimal effort. The idea behind RLS is to confuse an attacker by outputting falsified scores resulting from randomly scaled logits while maintaining the model accuracy. We show that RLS significantly reduces the success rate of state-of-the-art black-box score-based attacks while preserving the accuracy and minimizing confidence score distortion compared to state-of-the-art randomization-based defenses. Second, we introduce a novel adaptive attack against AAA, a SOTA non-randomized black-box defense against black-box score-based attacks that also modifies output logits to confuse attackers, demonstrating its vulnerability against adaptive attacks.