wAdvMTD: A Mitigation to White-box Adversarial Examples Using Heterogeneous Models and Moving Target Defense

In recent years, the adversarial example has become a non-trivial threat to the deep learning model. It harms the availability and integrity of deep learning as the inconspicuous perturbation is hard to be distinguished by a human observer. Among the mitigation strategies, those schemes using moving target defense as the methodology to defend adversarial examples proclaims a satisfactory performance in the black-box context. As for protecting deep learning models from white-box adversaries, however, only scheduling a model from the candidate set randomly to handle these stronger adversaries seems insufficient. Furthermore, the mitigation is vulnerable if the scheduling process is exposed to the adversary. In this paper, we proposed a white-box adversarial examples mitigation mechanism called wAdvMTD. It can automatically diversify the model structure of deep neural networks to make the attack vector to a certain model fails on the rest of its heterogeneous models. We make a proof-of-concept by deploying this mechanism to ResNet. Compared with the methodology that only schedules one of the pre-built models, using a set of structure-diversified models can reach a higher accuracy even with the constraint that this mechanism is completely exposed to the adversary.