Defense-friendly Images in Adversarial Attacks: Dataset and Metrics for Perturbation Difficulty

• URL: http://arxiv.org/abs/2011.02675v2
• Date: Sat, 7 Nov 2020 02:57:50 GMT
• Title: Defense-friendly Images in Adversarial Attacks: Dataset and Metrics for Perturbation Difficulty
• Authors: Camilo Pestana, Wei Liu, David Glance, Ajmal Mian
• Abstract summary: A dataset bias is a problem in adversarial machine learning, especially in the evaluation of defenses. In this paper, we report for the first time, a class of robust images that are both resilient to attacks and that recover better than random images under adversarial attacks. We propose three metrics to determine the proportion of robust images in a dataset and provide scoring to determine the dataset bias.
• Score: 28.79528737626505
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Dataset bias is a problem in adversarial machine learning, especially in the evaluation of defenses. An adversarial attack or defense algorithm may show better results on the reported dataset than can be replicated on other datasets. Even when two algorithms are compared, their relative performance can vary depending on the dataset. Deep learning offers state-of-the-art solutions for image recognition, but deep models are vulnerable even to small perturbations. Research in this area focuses primarily on adversarial attacks and defense algorithms. In this paper, we report for the first time, a class of robust images that are both resilient to attacks and that recover better than random images under adversarial attacks using simple defense techniques. Thus, a test dataset with a high proportion of robust images gives a misleading impression about the performance of an adversarial attack or defense. We propose three metrics to determine the proportion of robust images in a dataset and provide scoring to determine the dataset bias. We also provide an ImageNet-R dataset of 15000+ robust images to facilitate further research on this intriguing phenomenon of image strength under attack. Our dataset, combined with the proposed metrics, is valuable for unbiased benchmarking of adversarial attack and defense algorithms.

Related papers

• A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks [52.09243852066406]
  Adversarial Converging Time Score (ACTS) measures the converging time as an adversarial robustness metric. We validate the effectiveness and generalization of the proposed ACTS metric against different adversarial attacks on the large-scale ImageNet dataset.
  arXiv  Detail & Related papers  (2023-10-10T09:39:38Z)
• Adversarial Attacks Neutralization via Data Set Randomization [3.655021726150369]
  Adversarial attacks on deep learning models pose a serious threat to their reliability and security. We propose a new defense mechanism that is rooted on hyperspace projection. We show that our solution increases the robustness of deep learning models against adversarial attacks.
  arXiv  Detail & Related papers  (2023-06-21T10:17:55Z)
• SAIF: Sparse Adversarial and Imperceptible Attack Framework [7.025774823899217]
  We propose a novel attack technique called Sparse Adversarial and Interpretable Attack Framework (SAIF) Specifically, we design imperceptible attacks that contain low-magnitude perturbations at a small number of pixels and leverage these sparse attacks to reveal the vulnerability of classifiers. SAIF computes highly imperceptible and interpretable adversarial examples, and outperforms state-of-the-art sparse attack methods on the ImageNet dataset.
  arXiv  Detail & Related papers  (2022-12-14T20:28:50Z)
• CARLA-GeAR: a Dataset Generator for a Systematic Evaluation of Adversarial Robustness of Vision Models [61.68061613161187]
  This paper presents CARLA-GeAR, a tool for the automatic generation of synthetic datasets for evaluating the robustness of neural models against physical adversarial patches. The tool is built on the CARLA simulator, using its Python API, and allows the generation of datasets for several vision tasks in the context of autonomous driving. The paper presents an experimental study to evaluate the performance of some defense methods against such attacks, showing how the datasets generated with CARLA-GeAR might be used in future work as a benchmark for adversarial defense in the real world.
  arXiv  Detail & Related papers  (2022-06-09T09:17:38Z)
• Meta Adversarial Perturbations [66.43754467275967]
  We show the existence of a meta adversarial perturbation (MAP) MAP causes natural images to be misclassified with high probability after being updated through only a one-step gradient ascent update. We show that these perturbations are not only image-agnostic, but also model-agnostic, as a single perturbation generalizes well across unseen data points and different neural network architectures.
  arXiv  Detail & Related papers  (2021-11-19T16:01:45Z)
• Fight Detection from Still Images in the Wild [13.95888515102339]
  We propose a new dataset, named Social Media Fight Images (SMFI), comprising real-world images of fight actions. Tests indicate that, as in the other computer vision problems, there exists a dataset bias for the fight recognition problem.
  arXiv  Detail & Related papers  (2021-11-16T11:16:11Z)
• QAIR: Practical Query-efficient Black-Box Attacks for Image Retrieval [56.51916317628536]
  We study the query-based attack against image retrieval to evaluate its robustness against adversarial examples under the black-box setting. A new relevance-based loss is designed to quantify the attack effects by measuring the set similarity on the top-k retrieval results before and after attacks. Experiments show that the proposed attack achieves a high attack success rate with few queries against the image retrieval systems under the black-box setting.
  arXiv  Detail & Related papers  (2021-03-04T10:18:43Z)
• Attack Agnostic Adversarial Defense via Visual Imperceptible Bound [70.72413095698961]
  This research aims to design a defense model that is robust within a certain bound against both seen and unseen adversarial attacks. The proposed defense model is evaluated on the MNIST, CIFAR-10, and Tiny ImageNet databases. The proposed algorithm is attack agnostic, i.e. it does not require any knowledge of the attack algorithm.
  arXiv  Detail & Related papers  (2020-10-25T23:14:26Z)
• MixNet for Generalized Face Presentation Attack Detection [63.35297510471997]
  We have proposed a deep learning-based network termed as textitMixNet to detect presentation attacks. The proposed algorithm utilizes state-of-the-art convolutional neural network architectures and learns the feature mapping for each attack category.
  arXiv  Detail & Related papers  (2020-10-25T23:01:13Z)
• Determining Sequence of Image Processing Technique (IPT) to Detect Adversarial Attacks [4.431353523758957]
  We propose an evolutionary approach to automatically determine Image Processing Techniques Sequence (IPTS) for detecting malicious inputs. A detection framework based on a genetic algorithm (GA) is developed to find the optimal IPTS. A set of IPTS selected dynamically in testing time which works as a filter for the adversarial attack.
  arXiv  Detail & Related papers  (2020-07-01T08:59:14Z)
• Applying Tensor Decomposition to image for Robustness against Adversarial Attack [3.347059384111439]
  It can easily fool the deep learning model by adding small perturbations. In this paper, we suggest combining tensor decomposition for defending the model against adversarial example.
  arXiv  Detail & Related papers  (2020-02-28T18:30:22Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.