Towards Model Resistant to Transferable Adversarial Examples via Trigger Activation

TL;DR

The paper tackles the threat of transferable adversarial examples by introducing models with trigger activation, where a fixed trigger $\tau$ makes the model behave like a random predictor on clean inputs $x$ but yields accurate predictions on $x+\tau$. A first-order gradient analysis explains observed robustness, and the robustness is further enhanced by jointly learning the trigger with the model. The fixed-trigger variant provides a baseline robustness that improves with larger $\epsilon_t$, while the learnable-trigger variant achieves a better trade-off between robustness and clean accuracy by adaptively shaping $\tau$. Extensive experiments on CIFAR-10/100 and an ImageNet subset show competitive robustness against diverse TAEs with favorable training efficiency and negligible test-time overhead, outperforming several state-of-the-art defenses in several settings.

Abstract

Adversarial examples, characterized by imperceptible perturbations, pose significant threats to deep neural networks by misleading their predictions. A critical aspect of these examples is their transferability, allowing them to deceive {unseen} models in black-box scenarios. Despite the widespread exploration of defense methods, including those on transferability, they show limitations: inefficient deployment, ineffective defense, and degraded performance on clean images. In this work, we introduce a novel training paradigm aimed at enhancing robustness against transferable adversarial examples (TAEs) in a more efficient and effective way. We propose a model that exhibits random guessing behavior when presented with clean data $\boldsymbol{x}$ as input, and generates accurate predictions when with triggered data $\boldsymbol{x}+\boldsymbolτ$. Importantly, the trigger $\boldsymbolτ$ remains constant for all data instances. We refer to these models as \textbf{models with trigger activation}. We are surprised to find that these models exhibit certain robustness against TAEs. Through the consideration of first-order gradients, we provide a theoretical analysis of this robustness. Moreover, through the joint optimization of the learnable trigger and the model, we achieve improved robustness to transferable attacks. Extensive experiments conducted across diverse datasets, evaluating a variety of attacking methods, underscore the effectiveness and superiority of our approach.

Figures (3)

• Figure 1: (a) Illustration of model with trigger activation: a model $f$ that exhibits random guessing behavior with clean data $\boldsymbol{x}$, akin to models with randomly initialized parameters, but generates accurate predictions with triggered data $\boldsymbol{x}+\boldsymbol{\tau}$, akin to well-trained models. (b) The attacker adopts $f_s$ to generate the TAEs to attack the victim model. (c) During deployment, we treat the model with trigger activation as a unified entity, represented by $f_t(\boldsymbol{x}) = f(\boldsymbol{x} + \boldsymbol{\tau})$. This unified model, denoted as $f_t$, has been demonstrated to exhibit robustness against TAEs. Furthermore, if the adversarial examples $\boldsymbol{x}_{adv}$ are directly input into $f_t$ without the trigger, the model continues to produce random guesses. Note that $\boldsymbol{\tau}$ and $\boldsymbol{\delta_s}$ are amplified by 10 times for a better view.
• Figure 2: Loss and Accuracy (Acc.) when using $-\boldsymbol{\tau}$ with randomly flipped proportions as adversarial perturbations to attack the model with trigger activation.
• Figure 3: Visualization of the trigger for models with trigger activation on the CIFAR-10 dataset.