Detection defense against adversarial attacks with saliency map

Adversarial examples pose many security threats to convolutional neural networks (CNNs). Most defense algorithms prevent these threats by finding differences between the original images and adversarial examples. However, the found differences do not contain features about the classes, so these defense algorithms can only detect adversarial examples without recovering the correct labels. In this regard, we propose the Adversarial Feature Genome (AFG), a novel type of data that contain both the differences and features about classes. This method is inspired by an observed phenomenon, namely, the Adversarial Feature Separability, where the difference between the feature maps of the original images and adversarial examples becomes larger with deeper layers. On top of that, we further develop an adversarial example recognition framework that detects adversarial examples and can recover the correct labels. In the experiments, the detection and classification of adversarial examples by AFGs has an accuracy of more than 90.01% in various attack scenarios. To the best of our knowledge, our method is the first method that focuses on both attack detecting and recovering. AFG gives a new data‐driven perspective to improve the robustness of CNNs.

Section: Introductionmentioning

confidence: 95%

mentioning

confidence: 99%

A data‐driven adversarial examples recognition framework via adversarial feature genomes

Chen

et al. 2022

“…[5][6][7][8][9][10] These perturbations are imperceptible to human beings but can easily fool DNNs, which raises invisible threats to the vision-based automatic decision. [11][12][13][14][15] Consequently, the robustness of DNNs encounters great challenges in real-world applications. 16,17 For example, the existence of AEs can pose severe security threats for traffic sign recognition in autonomous driving.…”

Section: Introductionmentioning

confidence: 99%

Attention‐guided black‐box adversarial attacks with large‐scale multiobjective evolutionary optimization

Wang¹,

Yin²,

Jiang³

et al. 2022

Fooling deep neural networks (DNNs) with black-box optimization has become a popular adversarial attack fashion, as the prior structural knowledge of DNNs is always unknown. Nevertheless, recent black-box adversarial attacks may struggle to balance their attack ability and visual quality of the generated adversarial examples (AEs) in tackling high-resolution images. In this paper, we propose an attention-guided black-box adversarial attack based on the large-scale multiobjective evolutionary optimization, termed LMOA. By considering the spatial semantic information of images, we first take advantage of the attention map to determine the perturbed pixels. Instead of attacking the entire image, reducing the perturbed pixels with the attention mechanism can help to avoid the notorious curse of dimensionality and thereby improve the performance of attacking. Second, a large-scale multiobjective evolutionary algorithm traverse the reduced pixels in the salient region. Benefiting from its characteristics, the generated AEs can fool target DNNs while being invisible by human vision. Extensive experimental results have verified the effectiveness of the proposed LMOA on the ImageNet data set. More importantly, it is more competitive to generate highresolution AEs with the better visual quality than the existing black-box adversarial attacks.

“…However, this also increases the risk of disinformation crimes caused by manipulations with malicious intention 14–18 . For instance, fake news with maliciously manipulated image (e.g., on COVID‐19) can cause serious negative impacts on national security and social stability 19–22 …”

Section: Introductionmentioning

confidence: 99%

“…[14][15][16][17][18] For instance, fake news with maliciously manipulated image (e.g., on COVID-19) can cause serious negative impacts on national security and social stability. [19][20][21][22] To alleviate the risks of manipulated images, various manipulation detection methods are proposed to recognize the manipulated images. [23][24][25][26] Early research solve image manipulation detection as a classification task.…”

Section: Introductionmentioning

confidence: 99%

MC‐Net: Learning mutually‐complementary features for image manipulation localization

Shen

Lyu

et al. 2022

Deep learning has become an emerging technical for image manipulation localization, which can automatically recognize abnormal traces caused by manipulation. However, as manipulations mainly happens in the foreground regions, these methods largely focus on the foreground contents and neglect the background, which contain complementary signal for fully understanding the image and are meaningful for manipulation localization. We propose a Mutually‐Complementary Network (MC‐Net), which is a two‐branch network to operate the foreground and background features, respectively. To distill complementary signals from the features, we propose a mutual attentive module composed of self‐feature attentive, and cross‐feature attentive components to advance the communication across the foreground and background branches. Extensive qualitative and quantitative experiments demonstrate that our proposed MC‐Net distinctly improves the prediction of foreground and background, obtains consistent performance increments on four benchmark data sets, and significantly outperforms the state‐of‐the‐art methods.