2021
DOI: 10.1109/access.2021.3133334
|View full text |Cite
|
Sign up to set email alerts
|

You Can’t Fool All the Models: Detect Adversarial Samples via Pruning Models

Abstract: Many adversarial attack methods have investigated the security issue of deep learning models. Previous works on detecting adversarial samples show superior in accuracy but consume too much memory and computing resources. In this paper, we propose an adversarial sample detection method based on pruned models and evaluate four different pruning methods. We find that pruned neural network models are sensitive to adversarial samples, i.e., the pruned models tend to output labels different from the original model w… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1

Citation Types

0
3
0

Year Published

2022
2022
2024
2024

Publication Types

Select...
3
1

Relationship

0
4

Authors

Journals

citations
Cited by 4 publications
(3 citation statements)
references
References 25 publications
0
3
0
Order By: Relevance
“…Lee et al [70] also proposed a framework for detecting adversarial examples that can be used to detect adversaries in any pre-trained Softmax neural classifier. The authors of [71] presented model-pruning-based adversarial attack detection methods, while, on the other hand, Chen et al [72] presented a method to detect adversarial attacks based on activation clustering methods. In contrast to adversarial detection, the adversarial transformation methods apply transformation techniques to mitigate the effect of adversarial attacks and obtain a clean image.…”
Section: Methods For Detecting and Defending Against Adversarial Attacksmentioning
confidence: 99%
“…Lee et al [70] also proposed a framework for detecting adversarial examples that can be used to detect adversaries in any pre-trained Softmax neural classifier. The authors of [71] presented model-pruning-based adversarial attack detection methods, while, on the other hand, Chen et al [72] presented a method to detect adversarial attacks based on activation clustering methods. In contrast to adversarial detection, the adversarial transformation methods apply transformation techniques to mitigate the effect of adversarial attacks and obtain a clean image.…”
Section: Methods For Detecting and Defending Against Adversarial Attacksmentioning
confidence: 99%
“…13 shows the visual illustration of an Intel SGX-compatible system. The Metaverse platform owner can Trusted Execution Environment Encrypt a portion of CPU memory to isolate specific application in memory [212] Trusted Execution Environment Evaluate the feasibility of deploying TEE on edge device with different CPU [213] Trusted Execution Environment Following [211], the data are encrypted in the TEE before they are offloaded to other edge servers [214] Federated Learning Integrated differential privacy into FL to improve the protection level [215] Federated Learning Following [214], randomized mechanism are added together with DP to hide users' contributions during training [216] Adversarial Machine Learning Distance between data points and distribution-estimation based outlier detection algorithms are used to defence against poisoning attack [217] Adversarial Machine Learning Propose to use multiple models to form a model family so that it is more robust in white-box attack scenario [218] Adversarial Machine Learning Propose to use label change rate to protect the pruned neural network against adversarial sample set up a list of requirements to prevent the users from using edge devices that are not using SGX-enabled Intel CPU. With the help of SGX, edge devices can trust the data running on a platform with the latest security updates.…”
Section: Privacy and Securitymentioning
confidence: 99%
“…In addition, the edge device user does not want a single application to consume too much power. The authors in [218] detect the adversarial samples via pruning models. The framework is mainly tested with four pruning methods, i.e., random channel pruning, 𝐿 1 norm pruning, lottery ticket hypothesis pruning, and subnetwork extraction.…”
Section: Privacy and Securitymentioning
confidence: 99%