Towards an Accurate and Secure Detector against Adversarial
Perturbations
- URL: http://arxiv.org/abs/2305.10856v2
- Date: Thu, 24 Aug 2023 06:33:09 GMT
- Title: Towards an Accurate and Secure Detector against Adversarial
Perturbations
- Authors: Chao Wang, Shuren Qi, Zhiqiu Huang, Yushu Zhang, Rushi Lan, Xiaochun
Cao
- Abstract summary: Vulnerability of deep neural networks to adversarial perturbations has been widely perceived in the computer vision community.
Current algorithms typically detect adversarial patterns through discriminative decomposition of natural-artificial data.
We propose an accurate and secure adversarial example detector, relying on a spatial-frequency discriminative decomposition with secret keys.
- Score: 58.02078078305753
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The vulnerability of deep neural networks to adversarial perturbations has
been widely perceived in the computer vision community. From a security
perspective, it poses a critical risk for modern vision systems, e.g., the
popular Deep Learning as a Service (DLaaS) frameworks. For protecting
off-the-shelf deep models while not modifying them, current algorithms
typically detect adversarial patterns through discriminative decomposition of
natural-artificial data. However, these decompositions are biased towards
frequency or spatial discriminability, thus failing to capture adversarial
patterns comprehensively. More seriously, successful defense-aware (secondary)
adversarial attack (i.e., evading the detector as well as fooling the model) is
practical under the assumption that the adversary is fully aware of the
detector (i.e., the Kerckhoffs's principle). Motivated by such facts, we
propose an accurate and secure adversarial example detector, relying on a
spatial-frequency discriminative decomposition with secret keys. It expands the
above works on two aspects: 1) the introduced Krawtchouk basis provides better
spatial-frequency discriminability and thereby is more suitable for capturing
adversarial patterns than the common trigonometric or wavelet basis; 2) the
extensive parameters for decomposition are generated by a pseudo-random
function with secret keys, hence blocking the defense-aware adversarial attack.
Theoretical and numerical analysis demonstrates the increased accuracy and
security of our detector with respect to a number of state-of-the-art
algorithms.
Related papers
- Detecting Adversarial Data via Perturbation Forgery [28.637963515748456]
adversarial detection aims to identify and filter out adversarial data from the data flow based on discrepancies in distribution and noise patterns between natural and adversarial data.
New attacks based on generative models with imbalanced and anisotropic noise patterns evade detection.
We propose Perturbation Forgery, which includes noise distribution perturbation, sparse mask generation, and pseudo-adversarial data production, to train an adversarial detector capable of detecting unseen gradient-based, generative-model-based, and physical adversarial attacks.
arXiv Detail & Related papers (2024-05-25T13:34:16Z) - Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked.
We propose an attack-agnostic defense method named Meta Invariance Defense (MID)
We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
arXiv Detail & Related papers (2024-04-04T10:10:38Z) - Investigating Human-Identifiable Features Hidden in Adversarial
Perturbations [54.39726653562144]
Our study explores up to five attack algorithms across three datasets.
We identify human-identifiable features in adversarial perturbations.
Using pixel-level annotations, we extract such features and demonstrate their ability to compromise target models.
arXiv Detail & Related papers (2023-09-28T22:31:29Z) - TREATED:Towards Universal Defense against Textual Adversarial Attacks [28.454310179377302]
We propose TREATED, a universal adversarial detection method that can defend against attacks of various perturbation levels without making any assumptions.
Extensive experiments on three competitive neural networks and two widely used datasets show that our method achieves better detection performance than baselines.
arXiv Detail & Related papers (2021-09-13T03:31:20Z) - Adversarially Robust One-class Novelty Detection [83.1570537254877]
We show that existing novelty detectors are susceptible to adversarial examples.
We propose a defense strategy that manipulates the latent space of novelty detectors to improve the robustness against adversarial examples.
arXiv Detail & Related papers (2021-08-25T10:41:29Z) - Demotivate adversarial defense in remote sensing [0.0]
We study adversarial retraining and adversarial regularization as adversarial defenses to this purpose.
We show through several experiments on public remote sensing datasets that adversarial robustness seems uncorrelated to geographic and over-fitting robustness.
arXiv Detail & Related papers (2021-05-28T15:04:37Z) - No Need to Know Physics: Resilience of Process-based Model-free Anomaly
Detection for Industrial Control Systems [95.54151664013011]
We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system.
We analyze four anomaly detectors published at top security conferences.
arXiv Detail & Related papers (2020-12-07T11:02:44Z) - From a Fourier-Domain Perspective on Adversarial Examples to a Wiener
Filter Defense for Semantic Segmentation [27.04820989579924]
deep neural networks are not robust against adversarial perturbations.
In this work, we study the adversarial problem from a frequency domain perspective.
We propose an adversarial defense method based on the well-known Wiener filters.
arXiv Detail & Related papers (2020-12-02T22:06:04Z) - Temporal Sparse Adversarial Attack on Sequence-based Gait Recognition [56.844587127848854]
We demonstrate that the state-of-the-art gait recognition model is vulnerable to such attacks.
We employ a generative adversarial network based architecture to semantically generate adversarial high-quality gait silhouettes or video frames.
The experimental results show that if only one-fortieth of the frames are attacked, the accuracy of the target model drops dramatically.
arXiv Detail & Related papers (2020-02-22T10:08:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.