Classifiers based on deep neural networks have been recently challenged by
Adversarial Attack, where the widely existing vulnerability has invoked the
research in defending them from potential threats. Given a vulnerable
classifier, existing defense methods are mostly white-box and often require
re-training the victim under modified loss functions/training regimes. While
the model/data/training specifics of the victim are usually unavailable to the
user, re-training is unappealing, if not impossible for reasons such as limited
computational resources. To this end, we propose a new black-box defense
framework. It can turn any pre-trained classifier into a resilient one with
little knowledge of the model specifics. This is achieved by new joint Bayesian
treatments on the clean data, the adversarial examples and the classifier, for
maximizing their joint probability. It is further equipped with a new
post-train strategy which keeps the victim intact. We name our framework
Bayesian Boundary Correction (BBC). BBC is a general and flexible framework
that can easily adapt to different data types. We instantiate BBC for image
classification and skeleton-based human activity recognition, for both static
and dynamic data. Exhaustive evaluation shows that BBC has superior robustness
and can enhance robustness without severely hurting the clean accuracy,
compared with existing defense methods.

研究提出了一种新的黑盒防御框架，即贝叶斯边界校正（BBC），它可以将任何预训练的分类器变成具有弹性的分类器，具有超强的鲁棒性，且对干净数据的准确性不会产生剧烈的影响。

贝叶斯边界校正防御黑盒分类器

Defending Black-box Classifiers by Bayesian Boundary Correction

The lack of adversarial robustness has been recognized as an important issue
for state-of-the-art machine learning (ML) models, e.g., deep neural networks
(DNNs). Thereby, robustifying ML models against adversarial attacks is now a
major focus of research. However, nearly all existing defense methods,
particularly for robust training, made the white-box assumption that the
defender has the access to the details of an ML model (or its surrogate
alternatives if available), e.g., its architectures and parameters. Beyond
existing works, in this paper we aim to address the problem of black-box
defense: How to robustify a black-box model using just input queries and output
feedback? Such a problem arises in practical scenarios, where the owner of the
predictive model is reluctant to share model information in order to preserve
privacy. To this end, we propose a general notion of defensive operation that
can be applied to black-box models, and design it through the lens of denoised
smoothing (DS), a first-order (FO) certified defense technique. To allow the
design of merely using model queries, we further integrate DS with the
zeroth-order (gradient-free) optimization. However, a direct implementation of
zeroth-order (ZO) optimization suffers a high variance of gradient estimates,
and thus leads to ineffective defense. To tackle this problem, we next propose
to prepend an autoencoder (AE) to a given (black-box) model so that DS can be
trained using variance-reduced ZO optimization. We term the eventual defense as
ZO-AE-DS. In practice, we empirically show that ZO-AE- DS can achieve improved
accuracy, certified robustness, and query complexity over existing baselines.
And the effectiveness of our approach is justified under both image
classification and image reconstruction tasks. Codes are available at
this https URL.

本文提出了一种针对黑盒模型的防御式操作，通过基于降噪平滑和零阶优化的方法，将自编码器与模型结合，并在此基础上设计了 ZO-AE-DS，该方法在图像分类和重建任务上表现出更好的准确性、可靠性和查询复杂度。