SpectralDefense: Detecting Adversarial Attacks on CNNs in the Fourier Domain

Harder, Paula; Pfreundt, Franz-Josef; Keuper, Margret; Keuper, Janis

doi:10.1109/ijcnn52387.2021.9533442

Cited by 32 publications

(17 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…These can be broadly achieved by using trainable-detector or statistical-analysis based methods. The former usually involves training a detector-network either directly on the clean and adversarial images in spatial [24,30,32] / frequency domain [14] or on logits computed by a pre-trained classifier [4]. Statisticalanalysis based methods employ statistical tests like maximum mean discrepancy [13] or propose measures [11,27] to identify perturbed images.…”

Section: Adversarial Detectionmentioning

confidence: 99%

DAD: Data-free Adversarial Defense at Test Time

Nayak

Ruchit

Chakraborty

2022

2022 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)

View full text Add to dashboard Cite

Deep models are highly susceptible to adversarial attacks. Such attacks are carefully crafted imperceptible noises that can fool the network and can cause severe consequences when deployed. To encounter them, the model requires training data for adversarial training or explicit regularization-based techniques. However, privacy has become an important concern, restricting access to only trained models but not the training data (e.g. biometric data). Also, data curation is expensive and companies may have proprietary rights over it. To handle such situations, we propose a completely novel problem of 'test-time adversarial defense in absence of training data and even their statistics'. We solve it in two stages: a) detection and b) correction of adversarial samples. Our adversarial sample detection framework is initially trained on arbitrary data and is subsequently adapted to the unlabelled test data through unsupervised domain adaptation. We further correct the predictions on detected adversarial samples by transforming them in Fourier domain and obtaining their low frequency component at our proposed suitable radius for model prediction. We demonstrate the efficacy of our proposed technique via extensive experiments against several adversarial attacks and for different model architectures and datasets. For a non-robust Resnet-18 model pretrained on CIFAR-10, our detection method correctly identifies 91.42% adversaries. Also, we significantly improve the adversarial accuracy from 0% to 37.37% with a minimal drop of 0.02% in clean accuracy on state-of-the-art 'Auto Attack' without having to retrain the model.

show abstract

Section: Adversarial Detectionmentioning

confidence: 99%

DAD: Data-free Adversarial Defense at Test Time

Nayak

Ruchit

Chakraborty

2022

2022 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)

View full text Add to dashboard Cite

show abstract

“…A fundamental assumption of existing adversarial attack detection [46,37,59,60,23,39,40,35,12,25,18,1] as well as adversarial augmentation methods [39,40,35,12,25] is that adversarial attacks are known and samples can easily be generated using these attacks to train the detector or augment the main model being defended. This assumption, however, is not realistic, since more often than not the defender does not know the attacks a priori and therefore samples cannot be easily generated to train a supervised detector or train an adversarially-augmented model.…”

Section: Challenges and Rationalementioning

confidence: 99%

“…There are three main orthogonal approaches for combating adversarial attacks -(i) Using adversarial attacks as a data augmentation mechanism by including adversarially perturbed samples in the training data to induce robustness in the trained model [41,78,79,80,10,75,8,74]; (ii) Preprocessing the input data with a denoising function or deep network [38,15,22,24,45] to counteract the effect of adversarial perturbations; and (iii) Training an auxiliary network to detect adversarial examples and deny providing inference on adversarial samples [46,37,59,60,23,39,40,35,12,25,18,1]. Our work falls under adversarial example detection as it does not require retraining the main network (as in adversarial training) nor degrade the input quality (as in preprocessing defenses).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Attack-Agnostic Adversarial Detection

Cheng¹,

Hussein²,

Billa³

et al. 2022

Preprint

View full text Add to dashboard Cite

The growing number of adversarial attacks in recent years gives attackers an advantage over defenders, as defenders must train detectors after knowing the types of attacks, and many models need to be maintained to ensure good performance in detecting any upcoming attacks. We propose a way to end the tug-of-war between attackers and defenders by treating adversarial attack detection as an anomaly detection problem so that the detector is agnostic to the attack. We quantify the statistical deviation caused by adversarial perturbations in two aspects. The Least Significant Component Feature (LSCF) quantifies the deviation of adversarial examples from the statistics of benign samples and Hessian Feature (HF) reflects how adversarial examples distort the landscape of models' optima by measuring the local loss curvature. Empirical results show that our method can achieve an overall ROC AUC of 94.9%, 89.7%, and 94.6% on CIFAR10, CIFAR100, and SVHN, respectively, and has comparable performance to adversarial detectors trained with adversarial examples on most of the attacks.Preprint. Under review.

show abstract

“…ese studies all focused on the distribution of spatial probability (i.e., statistical probability) to make them reasonable. However, the latest studies in [9][10][11][12][13][14][15] indicated that adversarial examples are mainly concentrated in the high-frequency region. Moreover, Ilyas et al further illustrated in [16] that adversarial examples are not even bugs.…”

Section: Introductionmentioning

confidence: 99%

From Spatial to Spectral Domain, a New Perspective for Detecting Adversarial Examples

Liu

Cao

Tao

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

Deep neural networks (DNNs) have been closely related to the Pandora’s box from the moment of its birth. Although it achieves a high accuracy significantly in real-world tasks (e.g., object detecting and speech recognition), it still retains fatal vulnerabilities and flaws. Malicious attackers can manipulate DNN model misclassification just by adding tiny perturbations to the original image. These crafted samples are also called adversarial examples. One of the effective defense methods is to detect them before feeding them into the model. In this paper, we delve into the representation of adversarial examples in the original spatial and spectral domains. By qualitative and quantitative analysis, it is confirmed that the high-level representation and high-frequency components of abnormal samples contain richer discriminative information. To further explore the influence mechanism between the two factors, we perform an ablation study and the results show a win-win effect. Utilizing the finding, a detecting method (HLFD) is proposed based on extracting high-level representation and high-frequency components. Compared with other state-of-the-art detection methods, we achieve a better detection performance in most scenarios via a series of experiments conducted on MNIST, CIFAR-10, CIFAR-100, SVHN, and Tiny-ImageNet. In particular, we improve detection rates by a large margin on DeepFool and CW attacks.

show abstract

SpectralDefense: Detecting Adversarial Attacks on CNNs in the Fourier Domain

Cited by 32 publications

References 13 publications

DAD: Data-free Adversarial Defense at Test Time

DAD: Data-free Adversarial Defense at Test Time

Attack-Agnostic Adversarial Detection

From Spatial to Spectral Domain, a New Perspective for Detecting Adversarial Examples

Contact Info

Product

Resources

About