Adversarial example detection for DNN models: a review and experimental comparison

Aldahdooh, Ahmed; Hamidouche, Wassim; Fezza, Sid Ahmed; Déforges, Olivier

doi:10.1007/s10462-021-10125-w

Cited by 84 publications

(49 citation statements)

References 73 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Robustness of computer vision CNNs against AEs is well studied in the literature [12], and many countermeasures [15,16,21,22,23], i.e. defenses and detectors, were implemented to characterize the feature space of the AEs.…”

Section: Related Workmentioning

confidence: 99%

Reveal of Vision Transformers Robustness against Adversarial Attacks

Aldahdooh¹,

Hamidouche²,

Déforges³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Attention-based networks have achieved state-of-the-art performance in many computer vision tasks, such as image classification. Unlike Convolutional Neural Network (CNN), the major part of the vanilla Vision Transformer (ViT) is the attention block that brings the power of mimicking the global context of the input image. This power is data hunger and hence, the larger the training data the better the performance. To overcome this limitation, many ViT-based networks, or hybrid-ViT, have been proposed to include local context during the training. The robustness of ViTs and its variants against adversarial attacks has not been widely invested in the literature. Some robustness attributes were revealed in few previous works and hence, more insight robustness attributes are yet unrevealed. This work studies the robustness of ViT variants 1) against different L p -based adversarial attacks in comparison with CNNs and 2) under Adversarial Examples (AEs) after applying preprocessing defense methods. To that end, we run a set of experiments on 1000 images from ImageNet-1k and then provide an analysis that reveals that vanilla ViT or hybrid-ViT are more robust than CNNs. For instance, we found that 1) Vanilla ViTs or hybrid-ViTs are more robust than CNNs under L 0 , L 1 , L 2 , L ∞ -based, and Color Channel Perturbations (CCP) attacks. 2) Vanilla ViTs are not responding to preprocessing defenses that mainly reduce the high frequency components while, hybrid-ViTs are more responsive to such defense. 3) CCP can be used as a preprocessing defense and larger ViT variants are found to be more responsive than other models. Furthermore, feature maps, attention maps, and Grad-CAM visualization jointly with image quality measures, and perturbations' energy spectrum are provided for an insight understanding of attention-based models.Preprint. Under review.

show abstract

Section: Related Workmentioning

confidence: 99%

Reveal of Vision Transformers Robustness against Adversarial Attacks

Aldahdooh¹,

Hamidouche²,

Déforges³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Explainability (e.g., saliency maps from Grad-CAM) might be a useful indicator for determining adversarial attacks. The saliency maps of adversarial images are expected to differ from those of clean images [41,42]. However, explainabilitybased defenses might be limited since Grad-CAM could be easily deceived [43]; specifically, adversaries could adjust DNN models to allow Grad-CAM to yield their desired saliency maps.…”

Section: Discussionmentioning

confidence: 99%

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks with Transfer Learning

2022

View full text Add to dashboard Cite

Transfer learning from natural images is used in deep neural networks (DNNs) for medical image classification to achieve a computer-aided clinical diagnosis. Although the adversarial vulnerability of DNNs hinders practical applications owing to the high stakes of diagnosis, adversarial attacks are expected to be limited because training datasets (medical images), which are often required for adversarial attacks, are generally unavailable in terms of security and privacy preservation. Nevertheless, in this study, we demonstrated that adversarial attacks are also possible using natural images for medical DNN models with transfer learning, even if such medical images are unavailable; in particular, we showed that universal adversarial perturbations (UAPs) can also be generated from natural images. UAPs from natural images are useful for both non-targeted and targeted attacks. The performance of UAPs from natural images was significantly higher than that of random controls. The use of transfer learning causes a security hole, which decreases the reliability and safety of computer-based disease diagnosis. Model training from random initialization reduced the performance of UAPs from natural images; however, it did not completely avoid vulnerability to UAPs. The vulnerability of UAPs to natural images is expected to become a significant security threat.

show abstract

“…Further downstream tasks and user/analyst acceptance (trust) are therefore improved when receiving well-calibrated posterior confidence scores. We further desire not to give highly confident predictions at test/inference time to "unwanted" examples, such as out-of-domain/out-ofclass or adversarial examples, and thus extensions with Open Set Recognition [12,17] and adversarial detection techniques [2] are also of importance to include in real-world scenarios.…”

Section: Believabilitymentioning

confidence: 99%

Confident AI

Davis¹

2022

Preprint

View full text Add to dashboard Cite

In this paper, we propose "Confident AI" as a means to designing Artificial Intelligence (AI) and Machine Learning (ML) systems with both algorithm and user confidence in model predictions and reported results. The 4 basic tenets of Confident AI are Repeatability, Believability, Sufficiency, and Adaptability. Each of the tenets is used to explore fundamental issues in current AI/ML systems and together provide an overall approach to Confident AI.

show abstract

Adversarial example detection for DNN models: a review and experimental comparison

Cited by 84 publications

References 73 publications

Reveal of Vision Transformers Robustness against Adversarial Attacks

Reveal of Vision Transformers Robustness against Adversarial Attacks

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks with Transfer Learning

Confident AI

Contact Info

Product

Resources

About