Detecting Adversarial Samples from Artifacts

Feinman, Reuben; Curtin, Ryan R.; Shintre, Saurabh; Gardner, Alex

doi:10.48550/arxiv.1703.00410

Cited by 256 publications

(454 citation statements)

References 0 publications

Supporting

Mentioning

450

Contrasting

Unclassified

Order By: Relevance

“…Adversarial samples are generated by using the same set (and same settings) of attacks used by Lee et al (2018) Comparison with SOTA and results. We compare the performance of iDECODe with supervised detectors such as LID (Ma et al 2018), Mahala (Lee et al 2018) and a detector based on combining of kernel density estimation (Feinman et al 2017) and predictive uncertainty (KD+PU). These detectors are trained on adversarial samples generated by FGSM attack.…”

Section: Detection Of Adversarial Samplesmentioning

confidence: 99%

See 1 more Smart Citation

iDECODe: In-distribution Equivariance for Conformal Out-of-distribution Detection

Kaur¹,

Jha²,

Roy³

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine learning methods such as deep neural networks (DNNs), despite their success across different domains, are known to often generate incorrect predictions with high confidence on inputs outside their training distribution. The deployment of DNNs in safety-critical domains requires detection of out-of-distribution (OOD) data so that DNNs can abstain from making predictions on those. A number of methods have been recently developed for OOD detection, but there is still room for improvement. We propose the new method iDECODe, leveraging in-distribution equivariance for conformal OOD detection. It relies on a novel base non-conformity measure and a new aggregation method, used in the inductive conformal anomaly detection framework, thereby guaranteeing a bounded false detection rate. We demonstrate the efficacy of iDECODe by experiments on image and audio datasets, obtaining state-of-the-art results. We also show that iDECODe can detect adversarial examples.

show abstract

Section: Detection Of Adversarial Samplesmentioning

confidence: 99%

“…We compare with KD+PU, LID and Mahala as the supervised adversarial detectors. Kernel Density (KD) (Feinman et al 2017) detects datapoints lying in the tqbl/ood audio. low Guassian density regions as adversarial.…”

Section: C3 Adversarialmentioning

confidence: 99%

iDECODe: In-distribution Equivariance for Conformal Out-of-distribution Detection

Kaur¹,

Jha²,

Roy³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Another line of research is k-nearest neighbors (kNN) [1,5,14,41] based methods, which focus on distinguishing adversarial examples based on their relationship to other clean images in the calibrated dataset. Furthermore, a family of anomalydetection approaches [60] has been deployed to detect adversarial examples: Feinman et al [16] model the clean distribution with kernel density estimation. Ma et al [33] characterize the dimensional properties of the adversarial features by local intrinsic dimensionality.…”

Section: Adversarial Defensesmentioning

confidence: 99%

“…Adversarial detectors. In experiments, we choose kernel density (KD) [16], local intrinsic dimensionality (LID) [33], Mahalanobis distance (MAHA) [26], and deep neural net-work (DNN) [37] as our baselines. The parameters for KD, LID and MAHA are set per original papers.…”

Section: Setupmentioning

confidence: 99%

See 1 more Smart Citation

Medical Aegis: Robust adversarial protectors for medical images

Yao¹,

He²,

Kevin³

2021

Preprint

View full text Add to dashboard Cite

Deep neural network based medical image systems are vulnerable to adversarial examples. Many defense mechanisms have been proposed in the literature, however, the existing defenses assume a passive attacker who knows little about the defense system and does not change the attack strategy according to the defense. Recent works [2,3,52] have shown that a strong adaptive attack, where an attacker is assumed to have full knowledge about the defense system, can easily bypass the existing defenses. In this paper, we propose a novel adversarial example defense system called Medical Aegis. To the best of our knowledge, Medical Aegis is the first defense in the literature that successfully addresses the strong adaptive adversarial example attacks to medical images. Medical Aegis boasts two-tier protectors: The first tier of Cushion weakens the adversarial manipulation capability of an attack by removing its high-frequency components, yet posing a minimal effect on classification performance of the original image; the second tier of Shield learns a set of per-class DNN models to predict the logits of the protected model. Deviation from the Shield's prediction indicates adversarial examples. Shield is inspired by the observations in our stress tests that there exist robust trails in the shallow layers of a DNN model, which the adaptive attacks can hardly destruct. Experimental results show that the proposed defense accurately detects adaptive attacks, with negligible overhead for model inference.

show abstract

A data‐driven adversarial examples recognition framework via adversarial feature genomes

Chen

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

Adversarial examples pose many security threats to convolutional neural networks (CNNs). Most defense algorithms prevent these threats by finding differences between the original images and adversarial examples. However, the found differences do not contain features about the classes, so these defense algorithms can only detect adversarial examples without recovering the correct labels. In this regard, we propose the Adversarial Feature Genome (AFG), a novel type of data that contain both the differences and features about classes. This method is inspired by an observed phenomenon, namely, the Adversarial Feature Separability, where the difference between the feature maps of the original images and adversarial examples becomes larger with deeper layers. On top of that, we further develop an adversarial example recognition framework that detects adversarial examples and can recover the correct labels. In the experiments, the detection and classification of adversarial examples by AFGs has an accuracy of more than 90.01% in various attack scenarios. To the best of our knowledge, our method is the first method that focuses on both attack detecting and recovering. AFG gives a new data‐driven perspective to improve the robustness of CNNs.

show abstract

Detecting Adversarial Samples from Artifacts

Cited by 256 publications

References 0 publications

iDECODe: In-distribution Equivariance for Conformal Out-of-distribution Detection

iDECODe: In-distribution Equivariance for Conformal Out-of-distribution Detection

Medical Aegis: Robust adversarial protectors for medical images

A data‐driven adversarial examples recognition framework via adversarial feature genomes

Contact Info

Product

Resources

About