Universal Certified Defense for Black-Box Models Based on Random Smoothing
In recent years,the widespread application of image classification models based on deep neural networks(DNNs)has significantly impacted critical fields,including facial recognition and autonomous driving.These models have showcased remarkable performance,revolutionizing the way we interact with technology.However,despite their success,deep neural networks are not without vulnerabilities,particularly in the face of adversarial attacks,which can lead to misclassi-fication and compromise the integrity of these models.Addressing this challenge has become a pivotal research direction,as ensuring the robustness of these models is essential for their real-world deployment.Currently,many defense methods,especially empirical ones,operate under the white-box assumption.This assumption relies on defenders having access to detailed information about the model,including its architecture and parameters.Unfortunately,model owners often hesitate to share such sensitive information due to privacy concerns.Even existing black-box defense methods struggle to provide comprehensive protection against attacks involving all norms,lacking the necessary universality.This inherent limitation has spurred the need for innovative solutions.In response to this challenge,this paper proposes a groundbreaking universal black-box certified defense method applicable to a broad spectrum of black-box models.The key innovation lies in the design of a query-based data-free substitute model generation scheme.Unlike traditional methods,this scheme eliminates the need for training data and prior knowledge of the model structure.Leveraging queries and zero-order optimization,it generates high-quality substitute models,effectively transforming the certified defense scenario into a white-box setting without compromising model privacy.Furthermore,this paper introduces additional layers of security through the incorporation of random smoothing and noise selection methods based on the white-box substitute model.These enhancements contribute to the construction of a universal certified defense solution capable of resisting adversarial attacks involving any norm.To validate the effectiveness of the substitute model,performance comparisons are made with the original model under white-box certified defense conditions.The experimental results,particularly on the CIFAR10 dataset,showcase the superiority of the proposed universal black-box certified defense solution over existing methods.The solution not only achieves significant improvements in certi-fication accuracy but also maintains similar performance to white-box certified defense methods.Notably,compared to previous black-box certified defense methods,the proposed solution demonstrates over a 20%improvement in certification accuracy while effectively safeguarding the privacy of the original model.Specifically,the proposed solution successfully reduces the success rate of membership inference attacks by 5.48%,further highlighting its robustness and practical applicability in real-world scenarios.
deep neural networkscertified defenserandom smoothingblack-box modelssub-stitute models
万方数据
维普
