BAARD: Blocking Adversarial Examples by Testing for Applicability, Reliability and Decidability
This addresses the problem of adversarial defense for machine learning practitioners by providing a model-agnostic detection method, though it is incremental as it adapts an existing concept to a new domain.
The paper tackles the challenge of detecting adversarial examples across different models and attacks by proposing a triple-stage data-driven framework inspired by Applicability Domain from cheminformatics, which effectively detects various attacks, including in white-box scenarios.
Adversarial defenses protect machine learning models from adversarial attacks, but are often tailored to one type of model or attack. The lack of information on unknown potential attacks makes detecting adversarial examples challenging. Additionally, attackers do not need to follow the rules made by the defender. To address this problem, we take inspiration from the concept of Applicability Domain in cheminformatics. Cheminformatics models struggle to make accurate predictions because only a limited number of compounds are known and available for training. Applicability Domain defines a domain based on the known compounds and rejects any unknown compound that falls outside the domain. Similarly, adversarial examples start as harmless inputs, but can be manipulated to evade reliable classification by moving outside the domain of the classifier. We are the first to identify the similarity between Applicability Domain and adversarial detection. Instead of focusing on unknown attacks, we focus on what is known, the training data. We propose a simple yet robust triple-stage data-driven framework that checks the input globally and locally, and confirms that they are coherent with the model's output. This framework can be applied to any classification model and is not limited to specific attacks. We demonstrate these three stages work as one unit, effectively detecting various attacks, even for a white-box scenario.