Abstract
Adversarial images which can fool deep neural networks attract researchers’ attentions to the security of machine learning. In this paper, we employ a blind forensic method to detect adversarial images which are generated by the gradient-based attacks including FGSM, BIM, RFGSM and PGD. Through analyzing adversarial images, we find out that the gradient-based attacks cause significant statistical changes in the image difference domain. Besides, the gradient-based attacks add different perturbations on R, G, B channels, which inevitably change the dependencies among R, G, B channels. To measure those dependencies, the \(3^{rd}\)-order co-occurrence is employed to construct the feature. Unlike previous works which extract the co-occurrence within each channel, we extract the co-occurrences across from the \(1^{st}\)-order difference of R, G, B channels to capture the inter dependence changes. Due to the shift of difference elements caused by attacks, some co-occurrence elements of the adversarial images have distinct larger values than those of legitimate images. Experimental results demonstrate that the proposed method performs stable for different attack types and different attack strength, and achieves detection accuracy up to 99.9% which exceeding state-of-the-art much.
Thanks Weilin Xu et al. and Cleverhans for providing the codes of attacks. This work was partially supported by NSFC (No. 61702429), Sichuan Science and Technology Program (No. 19yyjc1656).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
Szegedy, C., Zaremba, W.: Intriguing properties of neural networks. In: Proceedings of International Conference on Learning Representations arxiv: 1312.6199 (2014)
Cleverhans. https://github.com/tensorflow/cleverhans
Goodfellow, I., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: Proceedings of ICML, pp. 1–10 (2015)
Tramèr, F., Kurakin, A.: Ensemble adversarial training: attacks and defenses. In: Proceedings of ICLR, pp. 1–20 (2018)
Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial examples in the physical world. In: Proceedings of International Conference on Learning Representations arxiv: 1607.02533 (2016)
Moosavidezfooli, S., Fawziand, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings of Computer Vision and Pattern Recognition, pp. 2574–2582 (2015)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy, pp. 39–57 (2017)
Papernot, N.: Distillation as a defense to adversarial perturbations against deep neural networks. In: IEEE Symposium on Security and Privacy, pp. 582–597 (2016)
Meng, D., Chen, H.: MagNet: a two-pronged defense against adversarial examples. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135–147 (2017)
Hendrycks, D., Gimpel, K.: Early methods for detecting adversarial images arXiv:1608.00530 (2016)
Li, X., Li, F.: Adversarial examples detection in deep networks with convolutional filter statistics. In: Proceedings of IEEE International Conference on Computer Vision, pp. 5775–5783 (2017)
Lu, J., Issaranon, T., Forsyth, D.: SafetyNet: detecting and rejecting adversarial examples robustly. In: Proceedings of IEEE International Conference on Computer Vision, pp. 446–454 (2017)
Xu, W., David, Y., Yan, J.: Feature squeezing: detecting adversarial examples in deep neural networks. In: Network and Distributed System Security Symposium. arXiv:1704.01155 (2017). https://evadeML.org/zoo
Guo, F.: Detecting adversarial examples via prediction difference for deep neural networks. Inf. Sci. 501, 182–192 (2019)
Schöttle, P., Schlögl, A., Pasquini, C.: Detecting adversarial examples-a lesson from multimedia security. In: Proceedings of the 26th IEEE European Signal Processing Conference, pp. 947–951 (2018)
Fan, W., Sun, G., Su, Y., Liu, Z., Lu, X.: Integration of statistical detector and Gaussian noise injection detector for adversarial example detection in deep neural networks. Multimedia Tools Appl. 78(14), 20409–20429 (2019). https://doi.org/10.1007/s11042-019-7353-6
Pevny, T., Bas, P., Fridrich, J.: Steganalysis by subtractive pixel adjacency matrix. IEEE Trans. Inf. Forensics Secur. 5(2), 215–224 (2010)
Fridrich, J., Kodovsky, J.: Rich models for steganalysis of digital images. IEEE Trans. Inf. Forensics Secur. 7(3), 868–882 (2012)
Liu, J., Zhang, W., Zhang, Y.: Detecting Adversarial Examples Based on Steganalysis arXiv:1806.09186 (2018)
Madry, A.: Towards deep learning models resistant to adversarial attacks. In: Proceedings of International Conference on Learning Representations arXiv:1706.06083 (2017)
Chen, J., Kang, X., Liu, Y.: Median filtering forensics based on convolutional neural networks. IEEE Signal Process. Lett. 22(11), 1849–1853 (2015)
Belhassen, B., Stamm, M.C.: Constrained convolutional neural networks: a new approach towards general purpose image manipulation detection. IEEE Trans. Inf. Forensics Secur. 13(11), 2691–2706 (2018)
Goljan, M., Cogranne, R.: Rich model for steganalysis of color images. In: Proceedings of IEEE WIFS, pp. 185–190 (2014)
Kodovsky, J., Fridrich, J., Holub, V.: Ensemble classifiers for steganalysis of digital media. IEEE Trans. Inf. Forensics Secur. 7(2), 432–444 (2012)
Liang, B., Li, H., Su, M., Li, X., Shi, W., Wang, X.: Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Trans. Dependable Secure Comput. https://doi.org/10.1109/TDSC.2018.2874243
Grosse, K., Manoharan, P., Papernot, N., Backes, M.: On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017)
Metzen, J. H., Genewein, T., Fischer, V., Bischoff, B.: On detecting adversarial perturbations arXiv:1702.04267 (2017)
Liao, F., Liang, M., Dong, Y., Pang, T., Zhu, J.: Defense against adversarial attacks using high-level representation guided denoiser arXiv:1712.02976 (2017)
Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples arXiv:1802.00420 (2018)
Guo, C., Rana, M., Cisse, M., van der Maaten, L.: Countering adversarial images using input transformations arXiv:1711.00117 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Peng, A., Deng, K., Zhang, J., Luo, S., Zeng, H., Yu, W. (2020). Gradient-Based Adversarial Image Forensics. In: Yang, H., Pasupa, K., Leung, A.CS., Kwok, J.T., Chan, J.H., King, I. (eds) Neural Information Processing. ICONIP 2020. Lecture Notes in Computer Science(), vol 12533. Springer, Cham. https://doi.org/10.1007/978-3-030-63833-7_35
Download citation
DOI: https://doi.org/10.1007/978-3-030-63833-7_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63832-0
Online ISBN: 978-3-030-63833-7
eBook Packages: Computer ScienceComputer Science (R0)