Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

EURASIP Journal on Information Security

Table 7 Adversarial distortion

Attack	Median ℓ₂-norm	Mean ℓ₂-norm
MNIST
C&Wℓ₂	5.28e −03	5.52e −03
C&Wℓ₀	1.56e −02	1.61e −02
C&Wℓ_∞	1.24e −02	1.29e −02
Fashion-MNIST
C&Wℓ₂	2.30e −04	5.31e −04
C&Wℓ₀	4.35e −03	4.86e −03
C&Wℓ_∞	4.43e −04	5.43e −04
CIFAR-10
C&Wℓ₂	7.80e −05	1.19e −04
C&Wℓ₀	2.48e −03	4.55e −03
C&Wℓ_∞	1.73e −04	2.13e −04
ResNet18 (CIFAR-10)
PGD	1.00e −04	1.37e −04
Vanilla OnePixelp=1	5.25e −04	2.76e −03
Vanilla OnePixelp=3	1.24e −03	3.51e −03
Vanilla OnePixelp=5	1.86e −03	4.18e −03
Multi-channel model OnePixelp=1	3.22e −04	2.42e −03
Multi-channel model OnePixelp=3	1.33e −03	3.61e −03
Multi-channel model OnePixelp=5	2.05e −03	4.33e −03
VGG16 (CIFAR-10)
PGD	9.99e −05	1.50e −04
Vanilla OnePixelp=1	5.86e −04	2.78e −03
Vanilla OnePixelp=3	1.37e −03	3.69e −03
Vanilla OnePixelp=5	2.02e −03	4.26e −03
Multi-channel model OnePixelp=1	3.43e −04	2.25e −03
Multi-channel model OnePixelp=3	1.27e −03	3.64e −03
Multi-channel model OnePixelp=5	1.91e −03	4.28e −03