Random Logit Scaling: Defending Deep Neural Networks Against Black-Box Score-Based Adversarial Example Attacks

πŸ“… 2026-07-16
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
Deep neural networks are vulnerable to score-based adversarial attacks in black-box settings, and existing defenses are often either computationally expensive or offer limited efficacy. This work proposes Random Logit Scaling (RLS), a plug-and-play post-processing defense mechanism that randomly scales the model’s logits at the output layer to mislead attackers, without requiring any architectural modifications. RLS is the first method to leverage randomized logit scaling specifically to counter black-box score-based attacks, substantially reducing the success rates of state-of-the-art attacks while preserving model accuracy and minimizing confidence distortion. Furthermore, the study exposes the vulnerability of the existing non-random defense AAA under adaptive attacks, thereby highlighting the superior robustness of RLS.
πŸ“ Abstract
Machine learning models are increasingly adapted in various domains. However, adversarial examples pose a significant threat to the reliable deployment of these models. In recent years, some powerful adversarial example attacks have been proposed for the fast and query-efficient generation of adversarial examples, even in black-box scenarios, highlighting the need for scalable, low-cost, and powerful defenses. In this work, we present two contributions to the domain of black-box adversarial example attacks and defenses. First, we propose Random Logit Scaling (RLS), a randomization-based defense against black-box score-based adversarial example attacks. RLS is a plug-and-play, post-processing defense that can be implemented on top of any existing ML model with minimal effort. The idea behind RLS is to confuse an attacker by outputting falsified scores resulting from randomly scaled logits while maintaining the model accuracy. We show that RLS significantly reduces the success rate of state-of-the-art black-box score-based attacks while preserving the accuracy and minimizing confidence score distortion compared to state-of-the-art randomization-based defenses. Second, we introduce a novel adaptive attack against AAA, a SOTA non-randomized black-box defense against black-box score-based attacks that also modifies output logits to confuse attackers, demonstrating its vulnerability against adaptive attacks.
Problem

Research questions and friction points this paper is trying to address.

adversarial examples
black-box attacks
score-based attacks
deep neural networks
model defense
Innovation

Methods, ideas, or system contributions that make the work stand out.

Random Logit Scaling
black-box defense
score-based adversarial attacks
adaptive attack
logit randomization
πŸ”Ž Similar Papers
No similar papers found.