Securing Deep Learning as a Service Against Adaptive High Frequency Attacks With MMCAT

Most cloud providers offer Deep Learning as a Service (DLaaS) for different business, science and engineering domains. However, it is known that deep neural networks (DNNs) are vulnerable to adversarial examples, which can cause well-trained DNN models to misbehave by injecting human-imperceptible perturbations to the query input data. Securing deep learning as a service becomes a critical challenge in mitigating such adversarial input perturbations, and enhancing the robustness of DNNs. In this article, we report two important facts: First, most adversarial perturbations are high frequency signals or are added to high frequency signals. Second, due to Frequency Principle that neural networks overly pay attention to fit the low frequency signals during training, the models could be easily misled by the high frequency signals of adversarial examples. These facts consequently contribute to the vulnerability of DNNs service in the Cloud. We conjecture that the more robust the neural networks are in learning from high frequency signals, the more resilient these neural networks are against adversarial perturbed examples. We propose a novel method for generating high-frequency-enhanced adversarial examples, which is achieved by a high-pass filter in the frequency domain via Fourier Transform. This method enhances the learning ability for high frequency signals and ameliorates to over-fit useless low frequency signals. In order to improve the robustness of DNNs service under such signal frequency attacks, we propose a multi-modal collaborative adversarial training framework, named as MMCAT, which uses the multi-modal information of the input images for cross-modal collaborative training, delivering excellent extension for effectively learning of multi-modal image information. Extensive experiments show that under strong adaptive frequency attacks, the DNNs service trained with the proposed MMCAT method achieve superior performance and robustness over the state-of-the-art adversarial training approaches.