Noise Sensitivity-Based Energy Efficient and Robust Adversary Detection in Neural Networks

Abstract: Neural networks have achieved remarkable performance in computer vision, however they are vulnerable to adversarial examples. Adversarial examples are inputs that have been carefully perturbed to fool classifier networks, while appearing unchanged to humans. Based on prior works on detecting adversaries, we propose a structured methodology of augmenting a deep neural network (DNN) with a detector subnetwork. We use Adversarial Noise Sensitivity (ANS), a novel metric for measuring the adversarial gradient contr… Show more

“…Additionally, Metzen et al and Sterneck et al appended a binary classifier between convolutional layers to detect adversarial inputs using the intermediate activation maps as features [13], [12]. While Metzen et al used a heuristic approach to append adversarial input detectors at the end of intermediate convolutional layers, Sterneck et al strategically placed the detector at the end of a convolution layer chosen using a metric called the adversarial noise sensitivity.…”

“…In this section, we compare the robustness and energy efficiency the Neurosim+DetectX system with previous stateof-the-art works on adversarial input detection [13], [12], [14]. All these works employ neural network based detectors to achieve state-of-the-art performance.…”

“…The second approach is adversarial input detection. Here, the goal is to detect and reject adversarial inputs from propagating deeper into the network [12].…”

“…Most prior works on adversarial input detection augment neural network based detectors at intermediate layers [13], [14], [12]. Others use complex mathematical analysis to detect adversarial and clean activations [15].…”

“…For example, neural network-based detectors have been shown to be vulnerable to dynamic adversarial attacks [13]. Here, the objective functions of both the neural networkbased detector and the main DNN are used to generate much stronger attacks [13], [12]. To bypass these problems, we use a hardware driven approach.…”

DetectX -- Adversarial Input Detection using Current Signatures in Memristive XBar Arrays

“…Additionally, Metzen et al and Sterneck et al appended a binary classifier between convolutional layers to detect adversarial inputs using the intermediate activation maps as features [13], [12]. While Metzen et al used a heuristic approach to append adversarial input detectors at the end of intermediate convolutional layers, Sterneck et al strategically placed the detector at the end of a convolution layer chosen using a metric called the adversarial noise sensitivity.…”

“…In this section, we compare the robustness and energy efficiency the Neurosim+DetectX system with previous stateof-the-art works on adversarial input detection [13], [12], [14]. All these works employ neural network based detectors to achieve state-of-the-art performance.…”

“…The second approach is adversarial input detection. Here, the goal is to detect and reject adversarial inputs from propagating deeper into the network [12].…”

“…Most prior works on adversarial input detection augment neural network based detectors at intermediate layers [13], [14], [12]. Others use complex mathematical analysis to detect adversarial and clean activations [15].…”

“…For example, neural network-based detectors have been shown to be vulnerable to dynamic adversarial attacks [13]. Here, the objective functions of both the neural networkbased detector and the main DNN are used to generate much stronger attacks [13], [12]. To bypass these problems, we use a hardware driven approach.…”

DetectX -- Adversarial Input Detection using Current Signatures in Memristive XBar Arrays