Detecting Adversarial Examples by Input Transformations, Defense Perturbations, and Voting

Nesti, Federico; Biondi, Alessandro; Buttazzo, Giorgio

doi:10.48550/arxiv.2101.11466

Cited by 2 publications

(2 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is because the optimization process is simpler when not considering the randomized transformations. However, it is important to note that these patches would not be transferrable to the real world, and are not robust even to simple transformations [10,22].…”

Section: Eot-based Patches On Cityscapesmentioning

confidence: 99%

Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks

Nesti¹,

Rossolini²,

Nair³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Deep learning and convolutional neural networks allow achieving impressive performance in computer vision tasks, such as object detection and semantic segmentation (SS). However, recent studies have shown evident weaknesses of such models against adversarial perturbations. In a realworld scenario instead, like autonomous driving, more attention should be devoted to real-world adversarial examples (RWAEs), which are physical objects (e.g., billboards and printable patches) optimized to be adversarial to the entire perception pipeline. This paper presents an in-depth evaluation of the robustness of popular SS models by testing the effects of both digital and real-world adversarial patches. These patches are crafted with powerful attacks enriched with a novel loss function. Firstly, an investigation on the Cityscapes dataset is conducted by extending the Expectation Over Transformation (EOT) paradigm to cope with SS. Then, a novel attack optimization, called scenespecific attack, is proposed. Such an attack leverages the CARLA driving simulator to improve the transferability of the proposed EOT-based attack to a real 3D environment. Finally, a printed physical billboard containing an adversarial patch was tested in an outdoor driving scenario to assess the feasibility of the studied attacks in the real world. Exhaustive experiments revealed that the proposed attack formulations outperform previous work to craft both digital and real-world adversarial patches for SS. At the same time, the experimental results showed how these attacks are notably less effective in the real world, hence questioning the practical relevance of adversarial attacks to SS models for autonomous/assisted driving.

show abstract

Section: Eot-based Patches On Cityscapesmentioning

confidence: 99%

Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks

Nesti¹,

Rossolini²,

Nair³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Along with the surge of attack algorithms, there has been an increase in the development of defense algorithms such as Adversarial Training (AT) [17], input transformation [18] [19], gradient obfuscation [20], and stochastic defense via randomization [21] [22][23] [24][25] [26] [27]. However, limitations of existing defense techniques have also been observed [28][29] [30].…”

Section: Introductionmentioning

confidence: 99%

Boundary Defense Against Black-box Adversarial Attacks

Aithal¹,

Li²

2022

Preprint

View full text Add to dashboard Cite

Black-box adversarial attacks generate adversarial samples via iterative optimizations using repeated queries. Defending deep neural networks against such attacks has been challenging. In this paper, we propose an efficient Boundary Defense (BD) method which mitigates black-box attacks by exploiting the fact that the adversarial optimizations often need samples on the classification boundary. Our method detects the boundary samples as those with low classification confidence and adds white Gaussian noise to their logits. The method's impact on the deep network's classification accuracy is analyzed theoretically. Extensive experiments are conducted and the results show that the BD method can reliably defend against both soft and hard label black-box attacks. It outperforms a list of existing defense methods. For IMAGENET models, by adding zero-mean white Gaussian noise with standard deviation 0.1 to logits when the classification confidence is less than 0.3, the defense reduces the attack success rate to almost 0 while limiting the classification accuracy degradation to around 1 percent.

show abstract

Detecting Adversarial Examples by Input Transformations, Defense Perturbations, and Voting

Cited by 2 publications

References 29 publications

Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks

Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks

Boundary Defense Against Black-box Adversarial Attacks

Contact Info

Product

Resources

About