TY - JOUR
T1 - Adversarial examples detection through the sensitivity in space mappings
AU - Li, Xurong
AU - Ji, Shouling
AU - Ji, Juntao
AU - Ren, Zhenyu
AU - Wu, Chunming
AU - Li, Bo
AU - Wang, Ting
N1 - Funding Information:
This work was partly supported by the National Key Research and Development Programme of China (2018YFB2100404 and 2018YFB1800601), the NSFC under No. 61772466, U1936215,
Funding Information:
Discussion: The biggest advantage of the proposed detector is its robustness. Different from previous works [16–18, 33], our detector works well across attack algorithms and models. Besides, our detector exhibits a lower FPR and higher TPR under white-box attacks than before. Although dozens of mapping methods are used in our detection, the overhead is very small (<0.1(s? per image). Since the mapping methods used in our detector are sufficient to detect most AE, we did not consider other mapping methods, such as JPEG compression, resizing, shift, and padding. However, our defence is open, and other new mapping methods can be directly and U1836202, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under no. LR19F020003, the Provincial Key Research and Development Programme of Zhejiang, China under No. 2018C03052, 2020C01021, and 2019C01055 and Major Scientific Project of Zhejiang Lab (2018FD0ZX01).
Publisher Copyright:
© The Institution of Engineering and Technology 2020
PY - 2020/8/1
Y1 - 2020/8/1
N2 - Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.
AB - Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine-learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false-positive rate (<1%), (ii) high true-positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.
UR - http://www.scopus.com/inward/record.url?scp=85090092790&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85090092790&partnerID=8YFLogxK
U2 - 10.1049/iet-cvi.2019.0378
DO - 10.1049/iet-cvi.2019.0378
M3 - Article
AN - SCOPUS:85090092790
VL - 14
SP - 201
EP - 213
JO - IET Computer Vision
JF - IET Computer Vision
SN - 1751-9632
IS - 5
ER -