Detection of Adversarial Examples in Deep Neural Networks with Natural Scene Statistics

Kherchouche, Anouar; Fezza, Sid Ahmed; Hamidouche, Wassim; Déforges, Olivier

doi:10.1109/ijcnn48605.2020.9206959

Cited by 20 publications

(18 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…5. It is noted that (1) SVM with the 18-D NSS feature may fail to generalize due to insufficient sampling (hence the below-diagonal ROC); (2) NSS performs better for small ε, but performance saturates with larger ε, because NSS does not incorporate any cue from network gradient behavior; (3) small ε is difficult for ARC, but its performance soars with larger ε towards 100%, which is consistent and expected from our visualization; (4) SVM with ARCv can generalize against all PGD-like attacks, while NSS failed for MIM; (5) SVM with NSS may generalize against some non-PGD-like attacks [29], while ARC could not due to SAE uniqueness; (6) SVM with the 2-D NSS feature ("Method 2" in [29]) fails to generalize. Thus, ARC achieves competitive performance consistently across different settings despite the extreme limits, because the ARC feature is low-dimensional, and incorporates cue from network gradient behavior.…”

Section: Comparison With Previous Attack Detection Methodssupporting

confidence: 80%

“…(2) non-intrusive; (3) data-undemanding, the most relevant methods that do not lack of ImageNet evaluation are [29,30,31,32,33]. But [30,31,32,33] still require a considerable amount of data to build accurate (relatively) high-dimensional statistics.…”

Section: Comparison With Previous Attack Detection Methodsmentioning

confidence: 99%

“…But [30,31,32,33] still require a considerable amount of data to build accurate (relatively) high-dimensional statistics. The remaining NSS [29] method craft 18dimensional features from Natural Scene Statistics, which are fed into SVM for binary classification. We adapt the trained SVMs in our ordinal regression framework as well, with a reduced training set size to 100 (50 benign + 50 BIM adversarial) for each SVM for fair comparison.…”

Section: Comparison With Previous Attack Detection Methodsmentioning

confidence: 99%

“…Dropout can be used for detection when combined with Bayesian uncertainty [55]. Feature statistics-based methods [31,30,29,32,33] leverage (high-dimensional) features, which is the most compatible group of method to our problem setting, but most of them are still datademanding for an accurate statistics. Whilst MNIST property may not hold on CIFAR-10 [14], let alone ImageNet, many related works lack the evaluation on ImageNet.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

On Trace of PGD-Like Adversarial Attacks

Zhou¹,

Patel²

2022

Preprint

View full text Add to dashboard Cite

Adversarial attacks pose safety and security concerns for deep learning applications. Yet largely imperceptible, a strong PGD-like attack may leave strong trace in the adversarial example. Since attack triggers the local linearity of a network, we speculate network behaves in different extents of linearity for benign examples and adversarial examples. Thus, we construct Adversarial Response Characteristics (ARC) features to reflect the model's gradient consistency around the input to indicate the extent of linearity. Under certain conditions, it shows a gradually varying pattern from benign example to adversarial example, as the later leads to Sequel Attack Effect (SAE). ARC feature can be used for informed attack detection (perturbation magnitude is known) with binary classifier, or uninformed attack detection (perturbation magnitude is unknown) with ordinal regression. Due to the uniqueness of SAE to PGD-like attacks, ARC is also capable of inferring other attack details such as loss function, or the ground-truth label as a post-processing defense. Qualitative and quantitative evaluations manifest the effectiveness of ARC feature on CIFAR-10 w/ ResNet-18 and ImageNet w/ ResNet-152 and SwinT-B-IN1K with considerable generalization among PGD-like attacks despite domain shift. Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.Preprint. Under review.

show abstract

Section: Comparison With Previous Attack Detection Methodssupporting

confidence: 80%

Section: Comparison With Previous Attack Detection Methodsmentioning

confidence: 99%

Section: Comparison With Previous Attack Detection Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

On Trace of PGD-Like Adversarial Attacks

Zhou¹,

Patel²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…It is a more intuitive idea to prevent the adversarial examples from attacking the model by detecting the input. The detection of adversarial examples has achieved some good research results in the image field [25], [26]. In the text, using certain methods to generate adversarial examples will produce spelling errors.…”

Section: Related Workmentioning

confidence: 99%

WordRevert: Adversarial Examples Defence Method for Chinese Text Classification

Zhang

Wang

et al. 2022

IEEE Access

View full text Add to dashboard Cite

Adversarial examples can evade the detection of text classification models based on Deep Neural Networks(DNNs), thus posing a potential security threat to the system. To address this problem, we propose an adversarial example defense method for Chinese text classification called WordRevert. The method first obtains the "positive text" containing the adversarial words by filtering the clauses that do not contribute to the current classification label. Then the detection network is combined with the position importance calculation function to achieve the detection of the adversarial words. Finally, the adversarial words are restored to the original words by calculating the candidate score and the detection score. The experiments show that the current popular Chinese text adversarial attack algorithms can be effectively defended by this method, and achieve a significant increase in the accuracy of the adversarial examples with a small reduction in the classification accuracy of clean samples while achieving better precision, recall, and F1 value of adversarial word detection and restoration.

show abstract