Investigating Stateful Defenses Against Black-Box Adversarial Examples. (arXiv:2303.06280v2 [cs.CR] UPDATED)

Defending machine-learning (ML) models against white-box adversarial attacks
has proven to be extremely difficult. Instead, recent work has proposed
stateful defenses in an attempt to defend against a more restricted black-box
attacker. These defenses operate by tracking a history of incoming model
queries, and rejecting those that are suspiciously similar. The current
state-of-the-art stateful defense Blacklight was proposed at USENIX Security
'22 and claims to prevent nearly 100% of attacks on both the CIFAR10 and
ImageNet datasets. In this paper, …

adversarial adversarial attacks art attacks box claims current defense history machine restricted security state tracking usenix usenix security work