Barrage of Random Transforms for Adversarially Robust Defense
Abstract
Defenses against adversarial examples, when using the ImageNet dataset, are historically easy to defeat. The common understanding is that a combination of simple image transformations and other various defenses are insufficient to provide the necessary protection when the obfuscated gradient is taken into account. In this paper, we explore the idea of stochastically combining a large number of individually weak defenses into a single barrage of randomized transformations to build a strong defense against adversarial attacks. We show that, even after accounting for obfuscated gradients, the Barrage of Random Transforms (BaRT) is a resilient defense against even the most difficult attacks, such as PGD. BaRT achieves up to a 24x improvement in accuracy compared to previous work, and has even extended effectiveness out to a previously untested maximum adversarial perturbation of e=32.
Cite
Text
Raff et al. "Barrage of Random Transforms for Adversarially Robust Defense." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019. doi:10.1109/CVPR.2019.00669Markdown
[Raff et al. "Barrage of Random Transforms for Adversarially Robust Defense." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019.](https://mlanthology.org/cvpr/2019/raff2019cvpr-barrage/) doi:10.1109/CVPR.2019.00669BibTeX
@inproceedings{raff2019cvpr-barrage,
title = {{Barrage of Random Transforms for Adversarially Robust Defense}},
author = {Raff, Edward and Sylvester, Jared and Forsyth, Steven and McLean, Mark},
booktitle = {Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition},
year = {2019},
doi = {10.1109/CVPR.2019.00669},
url = {https://mlanthology.org/cvpr/2019/raff2019cvpr-barrage/}
}