MagNet: A Two-Pronged defense against adversarial examples

Abstract

Deep learning has shown impressive performance on hard percep-tual problems. However, researchers found deep learning systems to be vulnerable to small, specially crafted perturbations that are imperceptible to humans. Such perturbations cause deep learning systems to mis-classify adversarial examples, with potentially dis-A strous consequences where safety or security is crucial. Prior de-fenses against adversarial examples either targeted specific attacks or were shown to be ineffective. We propose MagNet, a framework for defending neural network classifiers against adversarial examples. MagNet neither modifies the protected classifier nor requires knowledge of the process for generating adversarial examples. MagNet includes one or more separate detector networks and a reformer network. The detector networks learn to differentiate between normal and adversarial ex-A mples by approximating the manifold of normal examples. Since they assume no specific process for generating adversarial exam-ples, they generalize well. The reformer network moves adversar-ial examples towards the manifold of normal examples, which is effective for correctly classifying adversarial examples with small perturbation.We discuss the intrinsic difficulties in defending against whitebox attack and propose a mechanism to defend against gray-box attack. Inspired by the use of randomness in cryptography, we use diversity to strengthen MagNet. We show empirically that MagNet is effective against the most advanced state-of-the-art at-tacks in blackbox and graybox scenarios without sacrificing false positive rate on normal examples.