Closing the Gap: Achieving Better Accuracy-Robustness Tradeoffs against Query-Based Attacks

Authors

  • Pascal Zimmer Ruhr-Universität Bochum, Germany
  • Sébastien Andreina NEC Labs Europe, Germany
  • Giorgia Azzurra Marson NEC Labs Europe, Germany
  • Ghassan Karame Ruhr-Universität Bochum, Germany

DOI:

https://doi.org/10.1609/aaai.v38i19.30187

Keywords:

General

Abstract

Although promising, existing defenses against query-based attacks share a common limitation: they offer increased robustness against attacks at the price of a considerable accuracy drop on clean samples. In this work, we show how to efficiently establish, at test-time, a solid tradeoff between robustness and accuracy when mitigating query-based attacks. Given that these attacks necessarily explore low-confidence regions, our insight is that activating dedicated defenses, such as random noise defense and random image transformations, only for low-confidence inputs is sufficient to prevent them. Our approach is independent of training and supported by theory. We verify the effectiveness of our approach for various existing defenses by conducting extensive experiments on CIFAR-10, CIFAR-100, and ImageNet. Our results confirm that our proposal can indeed enhance these defenses by providing better tradeoffs between robustness and accuracy when compared to state-of-the-art approaches while being completely training-free.
AAAI-24 / IAAI-24 / EAAI-24 Proceedings Cover

Downloads

Published

2024-03-24

How to Cite

Zimmer, P., Andreina, S., Marson, G. A., & Karame, G. (2024). Closing the Gap: Achieving Better Accuracy-Robustness Tradeoffs against Query-Based Attacks. Proceedings of the AAAI Conference on Artificial Intelligence, 38(19), 21859-21868. https://doi.org/10.1609/aaai.v38i19.30187

Issue

Vol. 38 No. 19: AAAI-24 Special Track Safe, Robust and Responsible AI Track

Section

AAAI Technical Track on Safe, Robust and Responsible AI Track