Random Ensemble of Locally Optimum Detectors for Detection of Adversarial Examples

Goel, Amish; Moulin, Pierre

doi:10.1109/globalsip.2018.8646479

Cited by 3 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our future research will investigate detector-aware UAP attacks. Randomization strategies such as proposed in our prior work [16] could provide an effective approach in such cases.…”

Section: Discussionmentioning

confidence: 99%

“…We proposed a LO-GLRT for the detection of adversarial inputs in [15]. Subsequent extensions of the approach include locally optimal tests for random ensembles of image patches [16], and detection of targeted-UAPs [17]. We empirically showed the two-stage-trained LO-GLRT to be competitive in statistical performance to the PRN detector for CIFAR10 and CIFAR100 datasets, and significantly better for the ImageNet dataset [17].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Fast Locally Optimal Detection of Targeted Universal Adversarial Perturbations

Goel

Moulin

2022

IEEE Trans.Inform.Forensic Secur.

Self Cite

View full text Add to dashboard Cite

This paper proposes a locally-optimal generalized likelihood ratio test (LO-GLRT) for detecting targeted attacks on a classifier, where the attacks add a norm-bounded targeted universal adversarial perturbation (UAP) to the classifier's input. The paper includes both an analysis of the test as well as its empirical evaluation. The analysis provides an expression for the approximate lower bound of the detection probability, and the empirical evaluation shows this approximation to be similar to the actual detection probability. Since the LO-GLRT requires the score function of the input distribution, which is usually unknown in practice, we study the LO-GLRT for a learned surrogate input distribution. Specifically, we use a Gaussian distribution over the input subvectors as the surrogate distribution, for its mathematical tractability and computational efficiency. We evaluate the detector for several popular image classifiers and datasets, and compare the statistical and computational performance with the perturbation rectifying network (PRN) detector, another successful approach for detecting the UAPs. The LO-GLRT outperforms the PRN detector on both counts, with a running time at least 100 times lower than that of the PRN detector.

show abstract

“…Our future research will investigate detector-aware UAP attacks. Randomization strategies such as proposed in our prior work [16] could provide an effective approach in such cases.…”

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Fast Locally Optimal Detection of Targeted Universal Adversarial Perturbations

Goel

Moulin

2022

IEEE Trans.Inform.Forensic Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Compared to other detectors, LO detectors are naturally suited to detection of UAPs that have small norm. LO detectors for adversarial perturbations detection were first described in [9], [10], for the setting of detecting finitely many perturbations of the input that are known to the detector. Here, we derive a locally optimal generalized likelihood ratio test (LO-GLRT) for detecting random targeted UAPs in an input of a classifier.…”

Section: Introductionmentioning

confidence: 99%

Locally Optimal Detection of Stochastic Targeted Universal Adversarial Perturbations

Goel

Moulin

2021

ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

Self Cite

View full text Add to dashboard Cite

Deep learning image classifiers are known to be vulnerable to small adversarial perturbations of input images. In this paper, we derive the locally optimal generalized likelihood ratio test based detector for detecting stochastic targeted universal adversarial perturbations to a classifier's input. We employ a two-stage process to learn the detector's parameters, which involves unsupervised maximum likelihood estimation followed by supervised training and demonstrates better performance of the detector compared to other detection methods on several popular image classification datasets.

show abstract

“…Current strategies to defend a classifier against adversarial perturbations fall into two categories: (1) adapting the training algorithms to learn models which are more robust, using for example adversarial training [6][7][8], (2) detect and possibly rectify the adversarially perturbed inputs [9][10][11]. While adversarial training has shown improvement of the DNN against both input dependent and input independent perturbation in images, the improved robustness often come at expense of accuracy on unperturbed inputs [8].…”

Section: Introductionmentioning

confidence: 99%

“…LO detectors are more interpretable than other detection methods for small-norm UAPs. LO detectors were earlier described in [9,10], for the setting of detecting finitely many perturbations of the input that are known to the detector. Here, we derive a locally optimal generalized likelihood ratio test (LO-GLRT) for detecting random targeted UAPs in an input of a classifier.…”

Section: Introductionmentioning

confidence: 99%

Locally optimal detection of stochastic targeted universal adversarial perturbations

Goel¹,

Moulin²

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Deep learning image classifiers are known to be vulnerable to small adversarial perturbations of input images. In this paper, we derive the locally optimal generalized likelihood ratio test (LO-GLRT) based detector for detecting stochastic targeted universal adversarial perturbations (UAPs) of the classifier inputs. We also describe a supervised training method to learn the detector's parameters, and demonstrate better performance of the detector compared to other detection methods on several popular image classification datasets.

show abstract

Random Ensemble of Locally Optimum Detectors for Detection of Adversarial Examples

Cited by 3 publications

References 6 publications

Fast Locally Optimal Detection of Targeted Universal Adversarial Perturbations

Fast Locally Optimal Detection of Targeted Universal Adversarial Perturbations

Locally Optimal Detection of Stochastic Targeted Universal Adversarial Perturbations

Locally optimal detection of stochastic targeted universal adversarial perturbations

Contact Info

Product

Resources

About