Principal Component Properties of Adversarial Samples

Jere, Malhar; Sandro, Herbig,; Lind, Christine H.; Koushanfar, Farinaz

doi:10.1007/978-3-030-62144-5_5

Cited by 3 publications

(3 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversarial defenses. At earlier time, a few studies aim to detect adversarial examples [39], [40], [41]. However, it is wellknown that detection is inherently weaker than defense in terms of resisting adversarial attacks.…”

Section: Related Workmentioning

confidence: 99%

“…A few studies employ vanilla PCA to counter adversarial attacks for the image classification problem. Hendrycks & Gimpel [39] and Jere et al [40] utilized PCA to detect adversarial examples. Li & Li [41] performed PCA in the feature domain and used a cascade classifier to detect adversarial examples.…”

Section: A9 Comparison With the Defenses That Use Dimensionality Redu...mentioning

confidence: 99%

See 1 more Smart Citation

Adversarially Robust One-class Novelty Detection

Lo¹,

Oza²,

Patel³

2021

Preprint

View full text Add to dashboard Cite

One-class novelty detectors are trained with examples of a particular class and are tasked with identifying whether a query example belongs to the same known class. Most recent advances adopt a deep auto-encoder style architecture to compute novelty scores for detecting novel class data. Deep networks have shown to be vulnerable to adversarial attacks, yet little focus is devoted to studying the adversarial robustness of deep novelty detectors. In this paper, we first show that existing novelty detectors are susceptible to adversarial examples. We further demonstrate that commonly-used defense approaches for classification tasks have limited effectiveness in one-class novelty detection. Hence, we need a defense specifically designed for novelty detection. To this end, we propose a defense strategy that manipulates the latent space of novelty detectors to improve the robustness against adversarial examples. The proposed method, referred to as Principal Latent Space (PLS), learns the incrementally-trained cascade principal components in the latent space to robustify novelty detectors. PLS can purify latent space against adversarial examples and constrain latent space to exclusively model the known class distribution. We conduct extensive experiments on multiple attacks, datasets and novelty detectors, showing that PLS consistently enhances the adversarial robustness of novelty detection models.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: A9 Comparison With the Defenses That Use Dimensionality Redu...mentioning

confidence: 99%

Adversarially Robust One-class Novelty Detection

Lo¹,

Oza²,

Patel³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Meanwhile, there exists a thriving research corpus dedicated to deeply studying and understanding adversarial examples themselves. Ilyas et al (2019) presented a feature-based analysis of adversarial examples, while Jere et al (2019) presented preliminary work on PCA-based analysis of adversarial examples, which was followed up with Jere et al (2020) offering a nuanced view of the same through the lens of SVD. Ortiz-Jimenez et al (2020) derive insights from the margins of classifiers.…”

Section: Introductionmentioning

confidence: 99%

A Frequency Perspective of Adversarial Robustness

Maiya¹,

Ehrlich²,

Agarwal³

et al. 2021

Preprint

View full text Add to dashboard Cite

Adversarial examples pose a unique challenge for deep learning systems. Despite recent advances in both attacks and defenses, there is still a lack of clarity and consensus in the community about the true nature and underlying properties of adversarial examples. A deep understanding of these examples can provide new insights towards the development of more effective attacks and defenses. Driven by the common misconception that adversarial examples are high-frequency noise, we present a frequency-based understanding of adversarial examples, supported by theoretical and empirical findings. Our analysis shows that adversarial examples are neither in high-frequency nor in low-frequency components, but are simply dataset dependent. Particularly, we highlight the glaring disparities between models trained on CIFAR-10 and ImageNet-derived datasets. Utilizing this framework, we analyze many intriguing properties of training robust models with frequency constraints, and propose a frequency-based explanation for the commonly observed accuracy vs. robustness trade-off.

show abstract

Adversarially Robust One-class Novelty Detection

Oza

Patel

2022

IEEE Trans. Pattern Anal. Mach. Intell.

View full text Add to dashboard Cite

Principal Component Properties of Adversarial Samples

Cited by 3 publications

References 10 publications

Adversarially Robust One-class Novelty Detection

Adversarially Robust One-class Novelty Detection

A Frequency Perspective of Adversarial Robustness

Adversarially Robust One-class Novelty Detection

Contact Info

Product

Resources

About