\ours: Defending Against Transfer Attacks From Public Models

As a warm-up, we will first consider a discrete defense strategy where the defender trains $s\cdot a$ models, one against each of the attack strategies. Denote a defender’s model by $\mathsf{T}\in\mathcal{T}$ where $\left|\mathcal{T}\right|=s\cdot a$. The defender’s strategy is to choose $\mathsf{T}$ to classify a given $x_{\mathrm{adv}}$ where $\mathsf{T}$ is trained to minimize the expected risk of both the normal samples and the transfer adversarial samples $x_{\mathrm{adv}}$ from Eq. 1.

$\displaystyle\operatorname*{arg\,min}_{\theta}~{}\mathbb{E}_{x,y}\left[\mathsf{L}(\mathsf{T}_{\theta}(x),y)+\mathsf{L}(\mathsf{T}_{\theta}(x_{\mathrm{adv}}),y)\right]$

(2)

Note that this formulation is similar to the well-known adversarial training (Goodfellow et al., 2015; Madry et al., 2018) except that $x_{\mathrm{adv}}$ is independent to $\theta$ or the model being trained. The payoff of the defender is defined as the expected accuracy on $x_{\mathrm{adv}}$ chosen by the attacker:

$\displaystyle r_{D}(\bm{\pi}_{A},\bm{\pi}_{D})=\mathbb{E}_{\mathsf{T}\sim\bm{\pi}_{D}}\mathbb{E}_{(\mathsf{S},\mathsf{A})\sim\bm{\pi}_{A}}\mathbb{E}_{x,y}[\mathbbm{1}\{\mathsf{T}(\mathsf{A}(\mathsf{S},(x,y)))=y\}]$

(3)

where $\bm{\pi}_{A},\bm{\pi}_{D}$ are mixed (i.e., potentially randomized) strategies for the attacker and the defender, respectively. In other words, $\bm{\pi}_{A},\bm{\pi}_{D}$ each represents a multinomial distribution over the $s\cdot a$ pure (i.e., non-randomized) strategies. The attacker’s payoff is $r_{A}(\bm{\pi}_{A},\bm{\pi}_{D})=-r_{D}(\bm{\pi}_{A},\bm{\pi}_{D})$. The payoff matrix ${\bm{R}}\in\mathbb{R}^{sa\times sa}$ is defined by ${\bm{R}}_{i,j}=r_{D}({\bm{e}}_{i},{\bm{e}}_{j})$.

As an example, we empirically compute ${\bm{R}}$ (Fig. 2) choosing $\mathcal{S}=\{\mathsf{S}_{1},\dots,\mathsf{S}_{4}\}$ to be four public models and $\mathcal{A}$ as only PGD attack (Madry et al., 2018). We will later describe how these models are chosen in Section 5.2. The defender also has four models $\mathcal{T}=\{\mathsf{T}_{1},\dots,\mathsf{T}_{4}\}$, where $\mathsf{T}_{i}$ is adversarially trained to be robust against transfer attacks from $\mathsf{S}_{i}$. Notice that the diagonal entries are large because $\mathsf{T}_{i}$ is trained on the attack from $\mathsf{S}_{i}$. Von Neumann’s minimax theorem guarantees the existence of a Nash equilibrium, i.e., an optimal strategy for each player (v. Neumann, 1928) (see Section A.3). The optimal strategy can be efficiently computed using linear programming (van den Brand, 2020). For the payoff matrix in Fig. 2, the expected payoff for the optimal strategy is 73.0, meaning that when both the attacker and the defender choose their strategies optimally, the target model can achieve 73.0% accuracy on average. This is reasonable, but as we show next, we can do better.

Now we make the defender’s action space more flexible: the defender can choose their model’s weights arbitrarily, instead of being limited to one of $s\cdot a$ models. We extend the loss function in Eq. 2 to represent the loss against a transfer attack chosen according to mixed strategy $\pi_{A}$:

$\displaystyle\operatorname*{arg\,min}_{\theta}~{}\mathbb{E}_{x,y}\left[\mathsf{L}(f_{\theta}(x),y)+\sum_{i=1}^{s\cdot a}~{}\pi_{i}\mathsf{L}\left(f_{\theta}\left(x_{\mathrm{adv},i}\right),y\right)\right]$

(4)

where $x_{\mathrm{adv},i}$ is an attack generated by the $i$-th attack strategy, and the attacker’s (mixed) strategy is given by $\bm{\pi}=(\pi_{1},\dots,\pi_{sa})$ representing a probability distribution over the $s\cdot a$ (pure) attack strategies. Note that we can recover the simple game if the adversary is restricted to choosing $\pi_{i}$’s s.t. $\pi_{i}=1$ for a single $i$ and 0 otherwise. However, when $\bm{\pi}$ represents any probability distribution, the reward function is no longer linear in $\bm{\pi}$ so von Neumann’s minimax theorem no longer applies. A Nash equilibrium may exist, but there is no known efficient algorithm to compute it.¹¹1If we discretize each $\pi_{i}$, the equilibrium is still guaranteed to exist by Nash’s theorem (Nash, 1951), but we need to deal with an exponential (in $sa$) number of defense models.

One naive strategy for the defender is to assume the attacker will choose uniformly at random from all $s\cdot a$ attacks and find the best response, i.e., find model weights $\theta$ that minimize Eq. 4 when $\pi_{i}=1/sa$ for all $i$’s. This amounts to adversarially training a model against this particular (mixed) attacker strategy. In this case, the defender’s payoff (adversarial accuracy) against each of the four attacks turns out to be $[96.3,90.4,94.6,96.0]$, for the payoff matrix in Fig. 2. This means the defender achieves over 90% accuracy against all four transfer attacks, which is a significant improvement over the equilibrium of the simple game (73%). This suggests that while we may not be able to solve the complex game optimally, it already enables a much better strategy for the defender. In Section 5, we will explore several heuristics to approximately find a “local” equilibrium.

We propose several heuristics for solving the complex game (Section 4.2) that do not require explicitly computing the full payoff matrix. Instead, the defender trains only one model with adjustable weights $\pi_{i}$’s as defined in Eq. 4. We experiment with the three training losses (detailed in Section A.4) and report the best one. Overall, we find that simply sampling one attack randomly (a pair of $(\mathsf{S},\mathsf{A})$) at each iteration performs well or best in most cases.

Given that the set of publicly available models is public and known to both the attacker and the defender, the most natural choice for the defender is to train against all publicly available models. However, the computation cost can be prohibitive. We show that we can achieve nearly as good performance by choosing only a small subset of the publicly available models. However, finding an optimal set of source models is non-trivial without trying out all possible combinations.

Intuitively, to be robust against a wide range of transfer attacks, the defender should train the target model against a diverse set of source models and algorithms. The “diversity” of a set of models is challenging to define. Natural approaches include using a diverse set of architectures (e.g., ConvNet vs Transformer), a diverse set of (pre-)training methodologies (e.g., supervised vs unsupervised), and a diverse set of data augmentation strategies. In our experiments, we found that the training procedure—namely (1) normal, (2) $\ell_{\infty}$-adversarial, (3) $\ell_{2}$-adversarial, or (4) corruption-robust training—has the largest effect on the defense. For the rest of the paper, we categorize the source models into one of these four groups.²²2For CIFAR-100 and ImageNet, it is hard to find $\ell_{2}$-adversarially trained models that are publicly available, so we exclude this group and only consider the remaining three (normal, $\ell_{\infty}$, and corruption). We will discuss the implications of this grouping in Sections 6.2 and 7.1.

This motivates a simple yet surprisingly effective heuristic that we use for selecting the set of source models: when training \ours, we use one source model from each group (four source models in total for CIFAR-10 and three for CIFAR-100 and ImageNet). In more detail, we first choose four source models: the public model that is most robust against $\ell_{\infty}$ white-box attacks, the public model that is most robust against $\ell_{2}$ white-box attacks, the public model that is most corruption robust, and one arbitrary public model that is normally trained. Then, we compute the adversarial accuracy against transfer attacks from every publicly available model. If the adversarial accuracy against transfer attacks from some other public model $\mathsf{S}^{\prime}$ is significantly lower than the adversarial accuracy against transfer attacks from $\mathsf{S}$ (the chosen model in the same group as $\mathsf{S^{\prime}}$), then we swap in $\mathsf{S^{\prime}}$ and remove $\mathsf{S}$. We made one swap for CIFAR-100 and ImageNet and no swap for CIFAR-10. We find that this simple heuristic works well in practice and performs better than a random subset (Section 7.1).

Metrics. The two most common metrics used to compare models in the past literature are clean and adversarial accuracy. The clean accuracy is simply the accuracy on the test set, with no attack. There are multiple ways to measure the adversarial accuracy under our threat model depending on the attacker’s strategy (e.g., average or worst-case). We conservatively assume that the attacker knows the defender’s strategy and chooses the best pair of $(\mathsf{S},\mathsf{A})$ to run the attack.³³3This assumption is realistic because, with limited queries, the attacker can intelligently pick a good source model using the method from Maho et al. (2023), for example. In other words, we report the adversarial accuracy against the worst-case TAPM attack.

Baseline defenses. Adversarial training (Madry et al., 2018) can defend against transfer attacks but at the cost of excessive degradation to clean accuracy (as we will show next). We compare \ours to the best white-box adversarially trained (AT) model from RobustBench that has the same architecture. For CIFAR-10, CIFAR-100, and ImageNet, the best are Addepalli et al. (2022b), Addepalli et al. (2022a), and Salman et al. (2020), respectively. Additionally, we compare our method to DVERGE (Yang et al., 2020) and TRS (Yang et al., 2021), the two state-of-the-art defenses against transfer attacks. These use an ensemble of models for greater diversity, so that an attack that succeeds on one might fail on another, hopefully making transfer attacks harder.

Public source models. For each dataset, we select 24 public pre-trained models: 12 normally trained and 12 robustly trained models. The normal group comes from multiple public model zoos including Hugging Face (Face, 2023), timm (Wightman, 2019), and (for CIFAR-10/100) two Github repositories (Chen, 2023; Phan, 2023). The robust models are all hosted on RobustBench (Croce et al., 2020). We select a wide variety of models based on their architecture (e.g., assorted ConvNet, ViT (Dosovitskiy et al., 2021), Swin (Liu et al., 2021), BeiT (Bao et al., 2022), ConvMixer (Trockman & Kolter, 2023), zero-shot CLIP (Radford et al., 2021), etc.) and training methods to ensure high diversity. We try our best to not select two models with the same architecture or from the same paper.

Attack algorithms. We evaluate the robustness of the defenses with 11 different attack algorithms. All of the attacks are gradient-based, but they utilize different techniques for improving the transferability of the attacks, e.g., momentum, data augmentation, intermediate representation, etc. Please refer to Section A.1 for the complete list of both the source models and the attack algorithms.

training. We adversarially train the defended model by selecting a subset of source models according to the heuristic in Section 5.2 and then using a PGD transfer attack on that subset. We use a WideResNet-34-10 architecture for CIFAR-10/100 and ResNet-50 for ImageNet. We do not use any extra data or generated data for training. Section A.1.3 has the complete training details.

is more robust to all 264 transfer attacks than the baselines by a large margin. We generate 264 transfer attacks, one for each of 11 attack algorithms and 24 source models, and evaluate \ours according to the most successful attack. For CIFAR-10, \ours achieves 20 percentage points higher adversarial accuracy than the best previously published defense, with comparable clean accuracy to an undefended model (Table 1). For CIFAR-100, \ours achieves 10–18 p.p. higher robustness and 7–12 p.p. higher clean accuracy than the best prior defense. For ImageNet, \ours achieves 26 p.p. better adversarial accuracy and 15 p.p. better clean accuracy than adversarial training; its clean accuracy is only 2 p.p. lower than an undefended model. It is beyond our resources to train TRS and DVERGE for ImageNet, due to the combination of ensembling and adversarial training.

Fig. 3 shows all adversarial accuracies of \ours by pairs of $(\mathsf{S},\mathsf{A})$ on ImageNet. Here, the overall best attack is NI-Admix-TI-DIM from a ResNet-50 on Hugging Face. M-PGD, Admix, and NI-Admix-TI-DIM are generally the strongest attack algorithms across source models and datasets. Surprisingly, PGD usually performs well above average compared to the other more sophisticated attacks. Section A.6.2 shows more detail.

maintains high clean accuracy. Compared to the state-of-the-art top-1 clean accuracy for undefended models, our defense experiences only a 0–5% drop in the clean accuracy (Table 1). Compare to white-box adversarial training, which suffers a 11–18% drop. We emphasize that the minimal drop in the clean accuracy is one of the most attractive properties of \ours making it far more practical than white-box adversarial training.

generalizes well to unseen source models and attack algorithms. Our defense is trained against only the PGD attack and either four (CIFAR-10) or three (CIFAR-100, ImageNet) source models. This amounts to four potential transfer attacks out of 264. Fig. 5 shows that \ours generalizes incredibly well to the 260 unseen attacks losing only 1.7%, 1.8%, and 7.6% in robustness across the three datasets. This result implies that these 264 transfer attacks may be much more “similar” than the community expected; see Section 7.3.

should be trained with one source model from each of the four groups. Table 9 shows an ablation study, where we omit one of the four source models during training. We see that including at least one source model from each of the four groups is important for strong robustness. Including at least one $\ell_{2}$-robust and at least one corruption-robust model in the source set seems particularly important. Without them, adversarial accuracy drops by 28.5% or 31.7%, respectively. We provide further evidence to support this finding in with a more sophisticated ablation study (Section A.5) that controls for the number of source models (Fig. 9).

Training \ours against more source models is not necessarily better. Fig. 5 shows that adding more source models (8, 12, or 24) to \ours increases the adversarial accuracy by only $\sim$1%, and it also decreases clean accuracy by $\sim$1%. This suggests that our simple heuristic of selecting one source model per group is not only necessary but also sufficient for training \ours.

A simple loss function suffices. For CIFAR-10 and CIFAR-100, the Random training loss achieves the best results (Table 9). For ImageNet, All is slightly better and is only slightly worse than the best result (DynamicLoss). We use these training methods in all of our evaluations.

Random source model selection. We experiment with two random methods for choosing the source models for training \ours. In three out of four cases, \ours with the random selection method still outperforms the white-box adversarial training by roughly 10 p.p., but in all cases, it is worse than our default selection method. This result lets us conclude that (i) our simple selection scheme in Section 5.2 is much more effective than random and (ii) all of the source model groups should be represented which is in line with Section 6.2. We refer to Section A.5.1 for more details.

Attacks from ensembles of the public source models. A more sophisticated adversary could use an ensemble of public models to generate a transfer attack, which has been shown to improve the attack transferability (Liu et al., 2017; Gubri et al., 2022). We experiment with this approach by creating three ensembles⁴⁴4The ensemble averages the logits rather than averaging the losses or the softmax scores; in our past experience, we have found that all three choices yield similar performance. of four source models (one model from each group) and generate adversarial samples with all 11 attack algorithms. This results in 33 attack candidates, and then, we report accuracy under the best attack among these 33. We found that \ours is robust against such an ensemble attack, and this ensemble attack is no better than an attack constructed from the best single-source model (91.7% vs 88.6% adversarial accuracy). We leave more sophisticated ensemble-based attacks (e.g., Chen et al. (2023b; a)) as future work.

As we design \ours to specifically defend against transfer attacks, we rely on system-level defenses for other types of attacks. Here, we measure the risk against such attacks. First, we find that \ours is not robust against white-box attacks; PGD attack with sufficient steps reduces its accuracy to 0%. This is expected as white-box AT has been the only reliable defense against white-box attacks. Against both soft and hard-label query-based attacks, \ours is also less robust compared to the best white-box AT (Tables 11 and 12). However, once we apply an existing defense against query-based attacks (Qin et al., 2021), \ours becomes the most robust (Table 2). Specifically, we chose the standard deviation of the additive noise $\sigma\in\{0.01,0.02\}$ and followed the same evaluation procedure as Qin et al. (2021). We evaluated the defense against the soft-label Square attack (Andriushchenko et al., 2020) with 100 and 1000 queries. The \ours models have both higher clean accuracy (4–7 pp.) and adversarial accuracy ($\sim$1 pp.) than the white-box AT. Adding \ours to this query-based defense boosts the robustness up to 24 pp. (from 66 to 80) against the 1000-query Square attack.

Surprising generalization. In Section 6.2, \ours demonstrates excellent robustness against a broad range of TAPM attacks, even the transfer attacks from a source model and/or an attack algorithm that were not trained against. We suspect that the surprising generalization of \ours indicates a low-dimensional structure underlying transfer adversarial examples. We visualize our intuition in Section A.6.4. In this section, we investigate this phenomenon more closely.

Generalization with one source model. We train four \ours models each against only one source model (not one per group). The adversarial accuracy by groups in Fig. 7 shows an unexpected result: training against either an $\ell_{2}$ or corruption source model alone provides above 55% accuracy against the best attack. Furthermore, training against the $\ell_{2}$ (resp. corruption) source model provides over 80% robustness against the $\ell_{\infty}$ (resp. normal) group. This generalization effect does not necessarily hold in reverse (e.g., training against a $\ell_{\infty}$ source model yields little robustness to the $\ell_{2}$ group). Some source models are better than others to train \ours with.

To verify the manifold hypothesis, we attempt to quantify it using two metrics: cosine similarity and principal component analysis (PCA). Fig. 6 shows the pairwise cosine similarity values among all 264 attacks aggregated by the four source model groups and averaged over all CIFAR-10 test samples. The cosine similarity is notably higher when comparing adversarial examples generated within the same group in contrast to those across two groups, especially for the $\ell_{\infty}$ and the $\ell_{2}$ adversarial training groups (0.23 and 0.24 respectively). The cosine similarity is albeit lower in the normal and the corruption groups. PCA analysis also supports this observation, showing evidence for a low-dimensional linear subspace for the $\ell_{\infty}$ and the $\ell_{2}$ groups. We defer the detailed discussion to Section A.6.4.

is intended to stop a specific class of attacks that are particularly easy to mount, and that are not stopped by any reasonable systems-level defense. However, it has many limitations:

1. 1. \ours

   is not robust to white-box attacks and is only suitable if model weights can be kept secret. If the model is deployed to users, then attackers can reverse-engineer it to find the weights and mount a white-box attack (Liang et al., 2016; Tencent Keen Security Lab, 2019).

2. 2.

   A sufficiently dedicated and well-financed attacker can likely train their own surrogate model, e.g., by somehow assembling a suitable training set and paying annotators or using the target model to label it, then mount a transfer attack from this private surrogate, potentially bypassing our defense.

3. 3.

   We only defend against $\ell_{\infty}$-norm-bounded attacks. Many researchers have argued persuasively that we also need to consider broader attack strategies (Gilmer et al., 2018; Kaufmann et al., 2023), which we have not examined in this work.

Despite these limitations, \ours has several practical benefits: (1) Minimal drop in clean accuracy: The robustness gain of \ours is (almost) free! This makes it almost ready to deploy in the real world. (2) Low training cost: Adversarial training takes $\sim$2$\times$ longer due to the adversarial example generation inside of the training loop. In contrast, \ours training is much faster, as transfer attacks can be pre-generated prior to the training, only need to be done once, and can be done in parallel.

More precisely, the training time of \ours is approximately $16T+0.2NT$ where $T$ is the time for one epoch of white-box adversarial training and $N$ is the number of epochs of training. In comparison, adversarial training takes $NT$ time. For $N=50$ epochs, \ours’s training time is $26T$ vs $50T$ for adversarial training. The first term in the formula ($16T$) is a one-time cost for generating all the transfer attacks used in training: 4 source models $\times$ 4 instances per training sample $\times$ 10 PGD steps = $16T$. Regardless of how many PubDef models are trained or how many hyperparameters are swept, this step has to be done once. The second term is the cost of the training loop which depends on the exact loss function used (Section 5.1). For the “Random” loss function, the cost is $0.2T$ per epoch.

This work was supported in part by funds provided by the National Science Foundation (under grant 2229876), the KACST-UCB Center for Secure Computing, the Department of Homeland Security, IBM, the Noyce Foundation, Google, Open Philanthropy, and the Center for AI Safety Compute Cluster. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsors.