Random Feature Nullification for Adversary Resistant Deep Architecture

Deep neural networks (DNN) have been proven to be quite effective in many applications such as image recognition and using software to process security or traffic camera footage, for example to measure traffic flows or spot suspicious activities. Despite the superior performance of DNN in these applications, it has recently been shown that a DNN is susceptible to a particular type of attack that exploits a fundamental flaw in its design. Specifically, an attacker can craft a particular synthetic example, referred to as an adversarial sample, causing the DNN to produce an output behavior chosen by attackers, such as misclassification. Addressing this flaw is critical if a DNN is to be used in critical applications such as those in cybersecurity. Previous work provided various defence mechanisms by either increasing the model nonlinearity or enhancing model complexity. However, after a thorough analysis of the fundamental flaw in the DNN, we discover that the effectiveness of such methods is limited. As such, we propose a new adversary resistant technique that obstructs attackers from constructing impactful adversarial samples by randomly nullifying features within samples. Using the MNIST dataset, we evaluate our proposed technique and empirically show our technique significantly boosts DNN's robustness against adversarial samples while maintaining high accuracy in classification.