Skip to main content
Fig. 4 | EURASIP Journal on Information Security

Fig. 4

From: Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Fig. 4

The attacker-defender game in adversarial classification: a the attacker produces an adversarial example xadv from a host x by a mapper xadv=gα(x,ε); b the defender answers by the pre-filtering φβ(xadv) to obtain an estimation \(\hat {\boldsymbol {\mathrm {x}}}\) on the original host class manifold; c an alternative defense strategy by a randomization of input adversarial image as \(\hat {\boldsymbol {\mathrm {x}}} = \boldsymbol {\mathrm {x}}^{adv} + \boldsymbol {\epsilon }^{d^{\prime }}\), the resulting sample will be outside attacker’s target class with a small probability that the resulting sample will be in the original host class that requires the classifiers retraining; d the proposed defense strategy consists of pre-filtering by φβ(xadv) and addition of defender’s randomized perturbation εd: x ~=φβ(xadv)+εd, such that \(\lVert \boldsymbol {\epsilon }^{d} \rVert ^{2}_{2} \ll \lVert \boldsymbol {\epsilon }^{d^{\prime }}\rVert ^{2}_{2}\)

Back to article page