What problem does this paper attempt to address?

The problem that this paper attempts to solve is the security issue of deep neural network models when facing adversarial examples attacks. Specifically, the author focuses on how to defend against two different types of adversarial attacks: white - box attacks and black - box attacks. The white - box attack assumes that the attacker has a complete understanding of the model's structure and parameters, while the black - box attack assumes that the attacker can only obtain output information by querying the model. ### Main Contributions 1. **Propose Output Randomization as a Defense Strategy**: - The author proposes to randomize the model output during the testing phase to defend against black - box attacks based on finite - difference estimation. - At the same time, the author also proposes a defense method that introduces output randomization during the training phase to resist white - box attacks. 2. **Defense Against Black - Box Attacks**: - Output randomization makes it difficult for black - box attacks based on finite - difference estimation to succeed by adding noise to the model output during the testing phase. Experimental results show that this method can reduce the success rate of Zeroth Order Optimization (ZOO) attacks to 0%. 3. **Defense Against White - Box Attacks**: - Introducing output randomization during the training phase does not require randomization during the testing phase, thus avoiding Backward Pass Differentiable Approximation (BPDA) attacks. Experiments show that this method can significantly improve the model's robustness to Projected Gradient Descent (PGD) attacks, especially when using the cross - entropy loss function. ### Mathematical Formulas and Explanations - **Gradient Error of Finite - Difference Estimation**: \[ g_i=\frac{L(f(x + h e_i)) - L(f(x - h e_i))}{2h} \] where \( g_i \) is the finite - difference estimated gradient of the \( i \) - th pixel, \( L \) is the loss function, \( f \) is the model, \( x \) is the input, \( h \) is a small constant, and \( e_i \) is a unit vector. - **Expected Value of Gradient Error After Output Randomization**: \[ |E[g_i-\gamma_i]|=\left| g_i - E\left[ \frac{L(p + \epsilon)-L(p'+\epsilon')}{2h} \right] \right| \] where \( \gamma_i \) is the gradient estimate calculated by the attacker, and \( \epsilon \) and \( \epsilon' \) are the noises added to the model output. - **ERM Problem with Noise**: \[ \min_{\theta} E_{(x,y)\sim P} E_{\epsilon}[L(f_{\theta}(x)+\epsilon,y)] \] where \( \theta \) is the model parameter, \( L \) is the loss function, and \( \epsilon\sim N(0,\Sigma) \) is Gaussian noise. ### Conclusion The paper shows that output randomization, as a simple and effective defense strategy, can significantly improve the model's robustness to adversarial attacks without affecting the model's performance. In particular, for black - box attacks, output randomization almost completely prevents the success of the attacks; for white - box attacks, output randomization training significantly improves the model's defense ability.