Fred Hohman
/ CSE Ph.D. Student at GT

Shield: Fast, Practical Defense and Vaccination for Deep Learning using JPEG Compression

Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman, Siwei Li, Li Chen, Michael E. Kounavis, Duen Horng Chau

Shield Framework Overview. Shield combats adversarial images (in red), by removing perturbation in real time using Stochastic Local Quantization (SLQ) and an ensemble of vaccinated models robust to compression transformation for both adversarial and benign images. Our approach eliminates up to 94% of black-box attacks and 98% of gray-box attacks delivered by some of the most recent, strongest attacks, such as Carlini-Wagner’s L2 and DeepFool.

Abstract

The rapidly growing body of research in adversarial machine learning has demonstrated that deep neural networks (DNNs) are highly vulnerable to adversarially generated images. This underscores the urgent need for practical defense that can be readily deployed to combat attacks in real-time. Observing that many attack strategies aim to perturb image pixels in ways that are visually imperceptible, we place JPEG compression at the core of our proposed Shield defense framework, utilizing its capability to effectively “compress away” such pixel manipulation. To immunize a DNN model from artifacts introduced by compression, Shield “vaccinates” a model by re-training it with compressed images, where different compression levels are applied to generate multiple vaccinated models that are ultimately used together in an ensemble defense. On top of that, Shield adds an additional layer of protection by employing randomization at test time that compresses different regions of an image using random compression levels, making it harder for an adversary to estimate the transformation performed. This novel combination of vaccination, ensembling, and randomization makes Shield a fortified multi-pronged protection. We conducted extensive, large-scale experiments using the ImageNet dataset, and show that our approaches eliminate up to 94% of black-box attacks and 98% of gray-box attacks delivered by the recent, strongest attacks, such as Carlini-Wagner’s L2 and DeepFool. Our approaches are fast and work without requiring knowledge about the model.

Materials

PDF | Github | BibTeX

Citation

Shield: Fast, Practical Defense and Vaccination for Deep Learning using JPEG Compression
Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman, Siwei Li, Li Chen, Michael E. Kounavis, Duen Horng Chau
ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD). Aug 19, 2018. London, UK
PDF | Github | BibTeX

BibTeX

@article{das2018shield,
  title={Shield: Fast, Practical Defense and Vaccination for Deep Learning using JPEG Compression},
  author={Das, Nilaksh and Shanbhogue, Madhuri and Chen, Shang-Tse and Hohman, Fred and Li, Siewi and Chen, Li and Kounavis, Michael E and Chau, Duen Horng},
  journal={Proceedings of the 24nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining},
  year={2018},
  organization={ACM}
}