Defending Neural Networks Against Adversarial Examples

Abstract

Deep learning is becoming a technology central to the safety of cars, the security of networks, and the correct functioning of many other types of systems. Unfortunately, attackers can create adversarial examples, small perturbations to inputs that trick deep neural networks into making a misclassification. Researchers have explored various defenses against this attack, but many of them have been broken. The most robust approaches are Adversarial Training and its extension, Adversarial Logit Pairing, but Adversarial Training requires generating and training on adversarial examples from any possible attack. This is not only expensive, but it is inherently vulnerable to novel attack strategies. We propose PadNet, a stacked defense against adversarial examples that does not require knowledge of the attack techniques used by the attacker. PadNet combines two novel techniques: Defensive Padding and Targeted Gradient Minimizing (TGM). Prior research suggests that adversarial examples exist near the decision boundary of the classifier. Defensive Padding is designed to reinforce the decision boundary of the model by introducing a new class of augmented data within the training set that exists near the decision boundary, called the padding class. Targeted Gradient Minimizing is designed to produce low gradients from the input data point toward the decision boundary, thus making adversarial examples more difficult to find. In this study, we show that: 1) PadNet significantly increases robustness against adversarial examples compared to adversarial logit pairing, and 2) PadNet is adaptable to various attacks without knowing the attacker's techniques, and therefore allows the training cost to be fixed unlike adversarial logit pairing.