Locally optimal detection of adversarial inputs to image classifiers

Moulin, Pierre; Goel, Amish

doi:10.1109/icmew.2017.8026257

Cited by 6 publications

(9 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It is worth mentioning that the adversarial example detection is similar in nature to a steganalysis problem, where the digital watermarking community has developed a rich family of methods. Summarizing this experience, one can mention that to train efficient detectors of adversarial attacks, it is needed to either know a model describing an adversarial modulation along with the statistics of original data [36] or have an access to the training data sets of original and adversarial examples. Some examples of these strategies include [37][38][39][40].…”

Section: Defense Strategiesmentioning

confidence: 99%

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Taran

Rezaeifar

Holotyak

et al. 2020

EURASIP J. on Info. Security

View full text Add to dashboard Cite

In recent years, classification techniques based on deep neural networks (DNN) were widely used in many fields such as computer vision, natural language processing, and self-driving cars. However, the vulnerability of the DNN-based classification systems to adversarial attacks questions their usage in many critical applications. Therefore, the development of robust DNN-based classifiers is a critical point for the future deployment of these methods. Not less important issue is understanding of the mechanisms behind this vulnerability. Additionally, it is not completely clear how to link machine learning with cryptography to create an information advantage of the defender over the attacker. In this paper, we propose a key-based diversified aggregation (KDA) mechanism as a defense strategy in a gray- and black-box scenario. KDA assumes that the attacker (i) knows the architecture of classifier and the used defense strategy, (ii) has an access to the training data set, but (iii) does not know a secret key and does not have access to the internal states of the system. The robustness of the system is achieved by a specially designed key-based randomization. The proposed randomization prevents the gradients’ back propagation and restricts the attacker to create a “bypass” system. The randomization is performed simultaneously in several channels. Each channel introduces its own randomization in a special transform domain. The sharing of a secret key between the training and test stages creates an information advantage to the defender. Finally, the aggregation of soft outputs from each channel stabilizes the results and increases the reliability of the final score. The performed experimental evaluation demonstrates a high robustness and universality of the KDA against state-of-the-art gradient-based gray-box transferability attacks and the non-gradient-based black-box attacks (The results reported in this paper have been partially presented in CVPR 2019 (Taran et al., Defending against adversarial attacks by randomized diversification, 2019) & ICIP 2019 (Taran et al., Robustification of deep net classifiers by key-based diversified aggregation with pre-filtering, 2019)).

show abstract

Section: Defense Strategiesmentioning

confidence: 99%

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Taran

Rezaeifar

Holotyak

et al. 2020

EURASIP J. on Info. Security

View full text Add to dashboard Cite

show abstract

“…Current strategies to mitigate adversarial perturbations fall into two categories: (1) adversarial training algorithms to learn robust DNN classifier models [6]- [8], (2) detection algorithms to detect the adversarially perturbed inputs [9]- [11] with the classifier unchanged. While adversarial training has been successful to improve the classifier's performance against both input-dependent and universal perturbations in images, the improved robustness often come at expense of accuracy on unperturbed inputs [8].…”

Section: Introductionmentioning

confidence: 99%

“…Compared to other detectors, LO detectors are naturally suited to detection of UAPs that have small norm. LO detectors for adversarial perturbations detection were first described in [9], [10], for the setting of detecting finitely many perturbations of the input that are known to the detector. Here, we derive a locally optimal generalized likelihood ratio test (LO-GLRT) for detecting random targeted UAPs in an input of a classifier.…”

Section: Introductionmentioning

confidence: 99%

Locally Optimal Detection of Stochastic Targeted Universal Adversarial Perturbations

Goel

Moulin

2021

ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

Self Cite

View full text Add to dashboard Cite

Deep learning image classifiers are known to be vulnerable to small adversarial perturbations of input images. In this paper, we derive the locally optimal generalized likelihood ratio test based detector for detecting stochastic targeted universal adversarial perturbations to a classifier's input. We employ a two-stage process to learn the detector's parameters, which involves unsupervised maximum likelihood estimation followed by supervised training and demonstrates better performance of the detector compared to other detection methods on several popular image classification datasets.

show abstract

“…Current strategies to defend a classifier against adversarial perturbations fall into two categories: (1) adapting the training algorithms to learn models which are more robust, using for example adversarial training [6][7][8], (2) detect and possibly rectify the adversarially perturbed inputs [9][10][11]. While adversarial training has shown improvement of the DNN against both input dependent and input independent perturbation in images, the improved robustness often come at expense of accuracy on unperturbed inputs [8].…”

Section: Introductionmentioning

confidence: 99%

“…LO detectors are more interpretable than other detection methods for small-norm UAPs. LO detectors were earlier described in [9,10], for the setting of detecting finitely many perturbations of the input that are known to the detector. Here, we derive a locally optimal generalized likelihood ratio test (LO-GLRT) for detecting random targeted UAPs in an input of a classifier.…”

Section: Introductionmentioning

confidence: 99%

Locally optimal detection of stochastic targeted universal adversarial perturbations

Goel¹,

Moulin²

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Deep learning image classifiers are known to be vulnerable to small adversarial perturbations of input images. In this paper, we derive the locally optimal generalized likelihood ratio test (LO-GLRT) based detector for detecting stochastic targeted universal adversarial perturbations (UAPs) of the classifier inputs. We also describe a supervised training method to learn the detector's parameters, and demonstrate better performance of the detector compared to other detection methods on several popular image classification datasets.

show abstract

Locally optimal detection of adversarial inputs to image classifiers

Cited by 6 publications

References 6 publications

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Machine learning through cryptographic glasses: combating adversarial attacks by key-based diversified aggregation

Locally Optimal Detection of Stochastic Targeted Universal Adversarial Perturbations

Locally optimal detection of stochastic targeted universal adversarial perturbations

Contact Info

Product

Resources

About