Defending Adversarial Patches via Joint Region Localizing and Inpainting

• URL: http://arxiv.org/abs/2307.14242v1
• Date: Wed, 26 Jul 2023 15:11:51 GMT
• Title: Defending Adversarial Patches via Joint Region Localizing and Inpainting
• Authors: Junwen Chen, Xingxing Wei
• Abstract summary: A series of experiments versus traffic sign classification and detection tasks are conducted to defend against various adversarial patch attacks. We propose a novel defense method based on a localizing and inpainting" mechanism to pre-process the input examples.
• Score: 16.226410937026685
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Deep neural networks are successfully used in various applications, but show their vulnerability to adversarial examples. With the development of adversarial patches, the feasibility of attacks in physical scenes increases, and the defenses against patch attacks are urgently needed. However, defending such adversarial patch attacks is still an unsolved problem. In this paper, we analyse the properties of adversarial patches, and find that: on the one hand, adversarial patches will lead to the appearance or contextual inconsistency in the target objects; on the other hand, the patch region will show abnormal changes on the high-level feature maps of the objects extracted by a backbone network. Considering the above two points, we propose a novel defense method based on a ``localizing and inpainting" mechanism to pre-process the input examples. Specifically, we design an unified framework, where the ``localizing" sub-network utilizes a two-branch structure to represent the above two aspects to accurately detect the adversarial patch region in the image. For the ``inpainting" sub-network, it utilizes the surrounding contextual cues to recover the original content covered by the adversarial patch. The quality of inpainted images is also evaluated by measuring the appearance consistency and the effects of adversarial attacks. These two sub-networks are then jointly trained via an iterative optimization manner. In this way, the ``localizing" and ``inpainting" modules can interact closely with each other, and thus learn a better solution. A series of experiments versus traffic sign classification and detection tasks are conducted to defend against various adversarial patch attacks.

Related papers

• Improving Adversarial Robustness via Decoupled Visual Representation Masking [65.73203518658224]
  In this paper, we highlight two novel properties of robust features from the feature distribution perspective. We find that state-of-the-art defense methods aim to address both of these mentioned issues well. Specifically, we propose a simple but effective defense based on decoupled visual representation masking.
  arXiv  Detail & Related papers  (2024-06-16T13:29:41Z)
• PAD: Patch-Agnostic Defense against Adversarial Patch Attacks [36.865204327754626]
  Adversarial patch attacks present a significant threat to real-world object detectors. We show two inherent characteristics of adversarial patches, semantic independence and spatial heterogeneity. We propose PAD, a novel adversarial patch localization and removal method that does not require prior knowledge or additional training.
  arXiv  Detail & Related papers  (2024-04-25T09:32:34Z)
• Task-agnostic Defense against Adversarial Patch Attacks [25.15948648034204]
  Adversarial patch attacks mislead neural networks by injecting adversarial pixels within a designated local region. We present PatchZero, a task-agnostic defense against white-box adversarial patches. Our method achieves SOTA robust accuracy without any degradation in the benign performance.
  arXiv  Detail & Related papers  (2022-07-05T03:49:08Z)
• Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection [142.24869736769432]
  Adversarial patch attacks pose a serious threat to state-of-the-art object detectors. We propose Segment and Complete defense (SAC), a framework for defending object detectors against patch attacks. We show SAC can significantly reduce the targeted attack success rate of physical patch attacks.
  arXiv  Detail & Related papers  (2021-12-08T19:18:48Z)
• Inconspicuous Adversarial Patches for Fooling Image Recognition Systems on Mobile Devices [8.437172062224034]
  A variant of adversarial examples, called adversarial patch, draws researchers' attention due to its strong attack abilities. We propose an approach to generate adversarial patches with one single image. Our approach shows the strong attack abilities in white-box settings and the excellent transferability in black-box settings.
  arXiv  Detail & Related papers  (2021-06-29T09:39:34Z)
• Robustness Out of the Box: Compositional Representations Naturally Defend Against Black-Box Patch Attacks [11.429509031463892]
  Patch-based adversarial attacks introduce a perceptible but localized change to the input that induces misclassification. In this work, we study two different approaches for defending against black-box patch attacks. We find that adversarial training has limited effectiveness against state-of-the-art location-optimized patch attacks.
  arXiv  Detail & Related papers  (2020-12-01T15:04:23Z)
• Generating Adversarial yet Inconspicuous Patches with a Single Image [15.217367754000913]
  We propose an approach to gen-erate adversarial yet inconspicuous patches with onesingle image. In our approach, adversarial patches areproduced in a coarse-to-fine way with multiple scalesof generators and discriminators. Our ap-proach shows strong attacking ability in both the white-box and black-box setting.
  arXiv  Detail & Related papers  (2020-09-21T11:56:01Z)
• Patch-wise Attack for Fooling Deep Neural Network [153.59832333877543]
  We propose a patch-wise iterative algorithm -- a black-box attack towards mainstream normally trained and defense models. We significantly improve the success rate by 9.2% for defense models and 3.7% for normally trained models on average.
  arXiv  Detail & Related papers  (2020-07-14T01:50:22Z)
• A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
  Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems. This paper proposes a self-supervised adversarial training mechanism in the input space. It provides significant robustness against the textbfunseen adversarial attacks.
  arXiv  Detail & Related papers  (2020-06-08T20:42:39Z)
• Bias-based Universal Adversarial Patch Attack for Automatic Check-out [59.355948824578434]
  Adversarial examples are inputs with imperceptible perturbations that easily misleading deep neural networks(DNNs) Existing strategies failed to generate adversarial patches with strong generalization ability. This paper proposes a bias-based framework to generate class-agnostic universal adversarial patches with strong generalization ability.
  arXiv  Detail & Related papers  (2020-05-19T07:38:54Z)
• Adversarial Training against Location-Optimized Adversarial Patches [84.96938953835249]
  adversarial patches: clearly visible, but adversarially crafted rectangular patches in images. We first devise a practical approach to obtain adversarial patches while actively optimizing their location within the image. We apply adversarial training on these location-optimized adversarial patches and demonstrate significantly improved robustness on CIFAR10 and GTSRB.
  arXiv  Detail & Related papers  (2020-05-05T16:17:00Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.