DLA: Dense-Layer-Analysis for Adversarial Example Detection

Sperl, Philip; Kao, Ching-Yu; Chen, Peng; Xiao, Lei; Böttinger, Konstantin

doi:10.1109/eurosp48549.2020.00021

Cited by 30 publications

(17 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most recent paper in this direction Sperl et al extract dense layer activation patterns among benign and adversarial inputs and train a secondary binary classifier that detects adversarial examples [SKCB19]. The authors do this by first performing a forward pass through a target neural network with both adversarial and benign inputs to create a mixed-feature dataset of activation-label pairs.…”

Section: Dense Layer Analysismentioning

confidence: 99%

“…We use our technique to evade four state-of-the-art and previously-unbroken defenses to adversarial examples: the Honeypot defense (CCS'20) [SWW + 20], Dense Layer Analysis (IEEE Euro S&P'20) [SKCB19], Sensitivity Inconsistency Detector (AAAI'21) [TZLD21], and the SPAM detector presented in Detection by Steganalysis (CVPR'19) [LZZ + 19]. In all cases, we successfully reduce the accuracy of the protected classifier to 0% while maintaining a detection AUC of less than 0.5-meaning the detector performs worse than random guessing.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Evading Adversarial Example Detection Defenses with Orthogonal Projected Gradient Descent

Bryniarski¹,

Hingun²,

Pachuca³

et al. 2021

Preprint

View full text Add to dashboard Cite

Evading adversarial example detection defenses requires finding adversarial examples that must simultaneously (a) be misclassified by the model and (b) be detected as non-adversarial. We find that existing attacks that attempt to satisfy multiple simultaneous constraints often over-optimize against one constraint at the cost of satisfying another. We introduce Orthogonal Projected Gradient Descent, an improved attack technique to generate adversarial examples that avoids this problem by orthogonalizing the gradients when running standard gradient-based attacks. We use our technique to evade four state-of-the-art detection defenses, reducing their accuracy to 0% while maintaining a 0% detection rate. * Equal contributions. Authored alphabetically.Preprint. Under review.

show abstract

Section: Dense Layer Analysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Evading Adversarial Example Detection Defenses with Orthogonal Projected Gradient Descent

Bryniarski¹,

Hingun²,

Pachuca³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Adversarial detections: Due to the difficulty of adversarial defenses, recent works focus on reactive adversarial detections, which distinguish adversarial images from benign images. Adversarial detections could be grouped into three categories: statistical measurement [36]- [38], secondary classifier [39], [40] and input transformation [41]- [44].…”

Section: Related Workmentioning

confidence: 99%

Feature-Filter: Detecting Adversarial Examples through Filtering off Recessive Features

Liu¹,

Zhao²,

Peng³

et al. 2021

Preprint

View full text Add to dashboard Cite

“…Detecting Adversarial Perturbations: As a result of adversarial perturbations' discovery many works emerged, proposing defenses [22], [23], as well as circumventing those defenses [24]. While defense approaches are able to mitigate the effect of smaller perturbations, larger perturbations still pose a challenge, motivating the use of adversarial perturbation detection methods [25], [26], [27]. These methods do not prevent the (catastrophic) effects of the perturbation, but 1 Marvin Klingner, Andreas Bär, and Tim Fingscheidt are with the Institute for Communications Technology, Technische Universität Braunschweig, Schleinitzstr.…”

Section: Introductionmentioning

confidence: 99%

“…1) and take measures accordingly. Note that current works in this field focus on image classification [25], [26], [27], while we address the underrepresented tasks of semantic segmentation [28] and depth estimation [29]. Compared to works on image classification, we make use of the more complex output structure of these tasks, i.e., we utilize the edge consistency between the input image and the network outputs (cf.…”

Section: Introductionmentioning

confidence: 99%

Detecting Adversarial Perturbations in Multi-Task Perception

Klingner¹,

Kumar²,

Yogamani³

et al. 2022

Preprint

View full text Add to dashboard Cite

While deep neural networks (DNNs) achieve impressive performance on environment perception tasks, their sensitivity to adversarial perturbations limits their use in practical applications. In this paper, we (i) propose a novel adversarial perturbation detection scheme based on multi-task perception of complex vision tasks (i.e., depth estimation and semantic segmentation). Specifically, adversarial perturbations are detected by inconsistencies between extracted edges of the input image, the depth output, and the segmentation output. To further improve this technique, we (ii) develop a novel edge consistency loss between all three modalities, thereby improving their initial consistency which in turn supports our detection scheme. We verify our detection scheme's effectiveness by employing various known attacks and image noises. In addition, we (iii) develop a multi-task adversarial attack, aiming at fooling both tasks as well as our detection scheme. Experimental evaluation on the Cityscapes and KITTI datasets shows that under an assumption of a 5% false positive rate up to 100% of images are correctly detected as adversarially perturbed, depending on the strength of the perturbation. Code will be available on github. A short video at https://youtu.be/ KKa6gOyWmH4 provides qualitative results.

show abstract

DLA: Dense-Layer-Analysis for Adversarial Example Detection

Cited by 30 publications

References 27 publications

Evading Adversarial Example Detection Defenses with Orthogonal Projected Gradient Descent

Evading Adversarial Example Detection Defenses with Orthogonal Projected Gradient Descent

Feature-Filter: Detecting Adversarial Examples through Filtering off Recessive Features

Detecting Adversarial Perturbations in Multi-Task Perception

Contact Info

Product

Resources

About