基于边界混淆的决策对抗攻击防御方法

ecision-based black box attack is an efficient attack method against the deep neural network model, and in recent years, a number of algorithms with low query cost and excellent attack effect have emerged. To solve the problem of lack of targeted defense methods, a defense method based on boundary confusion, namely ONBD (Obstruction Near the Boundary Defense), was proposed. This defense method used the method of testing the consistency of output to determine whether the samples are located near the decision boundary, and then randomly transformed the prediction results of the samples located near the decision boundary based on rules, so as to confuse the decision boundary information obtained by the attack algorithms, thus hindering the normal operation of the decision-based attack algorithm. The simulation results on ImageNet dataset demonstrated that ONBD is superior to SND in terms of the classification accuracy of clean samples and the defense effect under the three decision-based attacks of Boundary Attack, QEBA and SurFree. The experimental results showed that the defense method based on boundary confusion can effectively defend against black box decision attacks with almost no loss of classification accuracy on clean samples.