Our paper presents a novel defence against black box attacks, where attackers
use the victim model as an oracle to craft their adversarial examples. Unlike
traditional preprocessing defences that rely on sanitizing input samples, our
stateless strategy counters the attack process itself. For every query we
evaluate a counter-sample instead, where the counter-sample is the original
sample optimized against the attacker's objective. By countering every black
box query with a targeted white box optimization, our strategy effectively
introduces an asymmetry to the game to the defender's advantage. This defence
not only effectively misleads the attacker's search for an adversarial example,
it also preserves the model's accuracy on legitimate inputs and is generic to
multiple types of attacks.
We demonstrate that our approach is remarkably effective against
state-of-the-art black box attacks and outperforms existing defences for both
the CIFAR-10 and ImageNet datasets. Additionally, we also show that the
proposed defence is robust against strong adversaries as well.

本论文提出了一种新颖的防御方法来对抗黑盒攻击，通过针对每个查询使用一个针对攻击者目标优化的原始样本的对抗反案例来对抗黑盒查询，有效地为防御者引入了不对称性，从而既有效地误导了攻击者寻找对抗样本的搜索，又保持了模型对合法输入的准确性，并且适用于多种类型的攻击。

反样本：一种无状态策略用于中和黑盒对抗攻击

Counter-Samples: A Stateless Strategy to Neutralize Black Box  Adversarial Attacks

Deep neural networks have been shown to perform well in many classical
machine learning problems, especially in image classification tasks. However,
researchers have found that neural networks can be easily fooled, and they are
surprisingly sensitive to small perturbations imperceptible to humans.
Carefully crafted input images (adversarial examples) can force a well-trained
neural network to provide arbitrary outputs. Including adversarial examples
during training is a popular defense mechanism against adversarial attacks. In
this paper we propose a new defensive mechanism under the generative
adversarial network (GAN) framework. We model the adversarial noise using a
generative network, trained jointly with a classification discriminative
network as a minimax game. We show empirically that our adversarial network
approach works well against black box attacks, with performance on par with
state-of-art methods such as ensemble adversarial training and adversarial
training with projected gradient descent.

该论文提出了一种基于生成对抗网络 (GAN) 框架下的新防御机制来对抗黑盒攻击，在经验上表现良好并能与利用梯度下降的集成对抗训练和对抗训练等最先进的方法媲美。