From Attack to Defense: Insights into Deep Learning Security Measures in Black-Box Settings

TL;DR

This paper addresses robustness of deep learning models under black-box adversarial attacks across multiple architectures and datasets. It adopts a large-scale experimental framework evaluating four black-box attacks (SimBA, HopSkipJump, MGAAttack, Boundary) and defense strategies (bits squeezing, median smoothing, JPEG filtering, adversarial training). The findings show that model complexity alone does not guarantee robustness, with depth and architectural design influencing attack difficulty and with middle-weight designs often outperforming both heavy- and light-weight models. The work provides actionable insights for deploying robust models in black-box settings and identifies open challenges, including extending to white-box/gray-box attacks and Vision Transformer architectures.

Abstract

Deep Learning (DL) is rapidly maturing to the point that it can be used in safety- and security-crucial applications. However, adversarial samples, which are undetectable to the human eye, pose a serious threat that can cause the model to misbehave and compromise the performance of such applications. Addressing the robustness of DL models has become crucial to understanding and defending against adversarial attacks. In this study, we perform comprehensive experiments to examine the effect of adversarial attacks and defenses on various model architectures across well-known datasets. Our research focuses on black-box attacks such as SimBA, HopSkipJump, MGAAttack, and boundary attacks, as well as preprocessor-based defensive mechanisms, including bits squeezing, median smoothing, and JPEG filter. Experimenting with various models, our results demonstrate that the level of noise needed for the attack increases as the number of layers increases. Moreover, the attack success rate decreases as the number of layers increases. This indicates that model complexity and robustness have a significant relationship. Investigating the diversity and robustness relationship, our experiments with diverse models show that having a large number of parameters does not imply higher robustness. Our experiments extend to show the effects of the training dataset on model robustness. Using various datasets such as ImageNet-1000, CIFAR-100, and CIFAR-10 are used to evaluate the black-box attacks. Considering the multiple dimensions of our analysis, e.g., model complexity and training dataset, we examined the behavior of black-box attacks when models apply defenses. Our results show that applying defense strategies can significantly reduce attack effectiveness. This research provides in-depth analysis and insight into the robustness of DL models against various attacks, and defenses.

Figures (9)

• Figure 1: Relation between the number of layers and the amount of noise and time needed (green line) for an attack to succeed. Noise rate and time increase as the number of layers increases in models of different families in three black-box attacks.
• Figure 2: Noise, Misclassification confidence (MC), and time needed by the HopSkipJump attack for ResNet-18, ResNet-50, and ResNet-152 models.
• Figure 3: The amount of noise and time needed (green line) for MGAAttack to succeed against various models. As the number of layers increases, the attack success rate decreases (above), and the number of queries increases (below).
• Figure 4: Attack needed noise across light-weight, middle-weight, and heavy-weight models when using SimBA, HopSkipJump, and Boundary attacks.
• Figure 5: The impact of datasets on needed noise for SimBA, HopSkipJump, and Boundary attacks to succeed against 12 models from VGG, ResNet, and DensNet families. HopSkipJump and Boundary Attack seem to be more successful when the number of classes and input size are smaller. SimBA requires more noise against models trained on CIFAR-10 and CIFAR-100.