Adversarial examples detection through the sensitivity in space mappings

Xurong Li; Shouling Ji; Juntao Ji; Zhenyu Ren; Chunming Wu; Bo Li; Ting Wang

doi:10.1049/iet-cvi.2019.0378

Adversarial examples detection through the sensitivity in space mappings

Xurong Li, Shouling Ji, Juntao Ji, Zhenyu Ren, Chunming Wu, Bo Li, Ting Wang

Research output: Contribution to journal › Article › peer-review

Abstract

Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.

Original language	English (US)
Pages (from-to)	201-213
Number of pages	13
Journal	IET Computer Vision
Volume	14
Issue number	5
DOIs	https://doi.org/10.1049/iet-cvi.2019.0378
State	Published - Aug 1 2020

ASJC Scopus subject areas

Software
Computer Vision and Pattern Recognition

Access to Document

10.1049/iet-cvi.2019.0378

Fingerprint Dive into the research topics of 'Adversarial examples detection through the sensitivity in space mappings'. Together they form a unique fingerprint.

Cite this

@article{c520d2b225f04dfd8299ec863b38a6b1,

title = "Adversarial examples detection through the sensitivity in space mappings",

abstract = "Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.",

author = "Xurong Li and Shouling Ji and Juntao Ji and Zhenyu Ren and Chunming Wu and Bo Li and Ting Wang",

note = "Funding Information: Discussion: The biggest advantage of the proposed detector is its robustness. Different from previous works [16–18, 33], our detector works well across attack algorithms and models. Besides, our detector exhibits a lower FPR and higher TPR under white-box attacks than before. Although dozens of mapping methods are used in our detection, the overhead is very small (<0.1(s? per image). Since the mapping methods used in our detector are sufficient to detect most AE, we did not consider other mapping methods, such as JPEG compression, resizing, shift, and padding. However, our defence is open, and other new mapping methods can be directly and U1836202, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under no. LR19F020003, the Provincial Key Research and Development Programme of Zhejiang, China under No. 2018C03052, 2020C01021, and 2019C01055 and Major Scientific Project of Zhejiang Lab (2018FD0ZX01). Funding Information: This work was partly supported by the National Key Research and Development Programme of China (2018YFB2100404 and 2018YFB1800601), the NSFC under No. 61772466, U1936215,",

year = "2020",

month = aug,

day = "1",

doi = "10.1049/iet-cvi.2019.0378",

language = "English (US)",

volume = "14",

pages = "201--213",

journal = "IET Computer Vision",

issn = "1751-9632",

publisher = "Institution of Engineering and Technology",

number = "5",

}

TY - JOUR

T1 - Adversarial examples detection through the sensitivity in space mappings

AU - Li, Xurong

AU - Ji, Shouling

AU - Ji, Juntao

AU - Ren, Zhenyu

AU - Wu, Chunming

AU - Li, Bo

AU - Wang, Ting

N1 - Funding Information: Discussion: The biggest advantage of the proposed detector is its robustness. Different from previous works [16–18, 33], our detector works well across attack algorithms and models. Besides, our detector exhibits a lower FPR and higher TPR under white-box attacks than before. Although dozens of mapping methods are used in our detection, the overhead is very small (<0.1(s? per image). Since the mapping methods used in our detector are sufficient to detect most AE, we did not consider other mapping methods, such as JPEG compression, resizing, shift, and padding. However, our defence is open, and other new mapping methods can be directly and U1836202, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under no. LR19F020003, the Provincial Key Research and Development Programme of Zhejiang, China under No. 2018C03052, 2020C01021, and 2019C01055 and Major Scientific Project of Zhejiang Lab (2018FD0ZX01). Funding Information: This work was partly supported by the National Key Research and Development Programme of China (2018YFB2100404 and 2018YFB1800601), the NSFC under No. 61772466, U1936215,

PY - 2020/8/1

Y1 - 2020/8/1

N2 - Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.

AB - Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.

UR - http://www.scopus.com/inward/record.url?scp=85090092790&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85090092790&partnerID=8YFLogxK

U2 - 10.1049/iet-cvi.2019.0378

DO - 10.1049/iet-cvi.2019.0378

M3 - Article

AN - SCOPUS:85090092790

VL - 14

SP - 201

EP - 213

JO - IET Computer Vision

JF - IET Computer Vision

SN - 1751-9632

IS - 5

ER -