The query-based black-box attacks have raised serious threats to machine
learning models in many real applications. In this work, we study a lightweight
defense method, dubbed Random Noise Defense (RND), which adds proper Gaussian
noise to each query. We conduct the theoretical analysis about the
effectiveness of RND against query-based black-box attacks and the
corresponding adaptive attacks. Our theoretical results reveal that the defense
performance of RND is determined by the magnitude ratio between the noise
induced by RND and the noise added by the attackers for gradient estimation or
local search. The large magnitude ratio leads to the stronger defense
performance of RND, and it's also critical for mitigating adaptive attacks.
Based on our analysis, we further propose to combine RND with a plausible
Gaussian augmentation Fine-tuning (RND-GF). It enables RND to add larger noise
to each query while maintaining the clean accuracy to obtain a better trade-off
between clean accuracy and defense performance. Additionally, RND can be
flexibly combined with the existing defense methods to further boost the
adversarial robustness, such as adversarial training (AT). Extensive
experiments on CIFAR-10 and ImageNet verify our theoretical findings and the
effectiveness of RND and RND-GF.

本文研究一种轻量级防御方法 ——Random Noise Defense (RND) 来对抗基于查询的黑盒攻击，并在理论和实验上验证了其有效性。此外，通过将 RND 与高斯增强精调相结合（RND-GF），可以在保持良好的清洁数据准确性的情况下，获得更好的折衷和更大的防御性能。