Abstract
The anti-detection adversarial attack is an evolutionary attack. It can both fool a CNN model to give error classification outputs and evade some detection-based defenses. In this paper, we aim at detecting the adversarial images generated by a typical anti-detection attack which can evade some existing noising-based detectors. We find that this anti-detection attack makes shifting effects in the residual domain. Specially, zero residual elements shift to non-zero elements, and shifting also occurs among non-zero residual elements. Those shifting effects inevitably change the co-occurrence relationships among neighbor residual elements. Furthermore, the attacker considers the R, G, and B channels are isolated when adding the adversarial perturbation, which further disturbs their co-occurrence relationships. So, we propose the \(3^{rd}\)-order co-occurrence probabilities of R, G, and B residuals as features and construct a binary ensemble classifier to detect the anti-detection adversarial images. Experimental results show that the proposed method achieves detection accuracy >99% and >96.9% on ImageNet and Cifar-10 respectively, outperforming state-of-the-arts. In addition, the proposed method has good generalization ability and is difficult to be attacked again.
This work was partially supported by NSFC (No. 41865006), Sichuan Science and Technology Program (No. 2022YFG0321, 2022NSFSC0916).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Some works call this attack as the adaptive attack which is referred to the existing or unknown attacks against the specific defense. We focus on detecting the existing adaptive attack and call it as the anti-detection attack to make a clear understanding.
- 2.
- 3.
- 4.
References
Zhang, J., Lou, Y., Wang, J., Wu, K., Lu, K., Jia, X.: Evaluating adversarial attacks on driving safety in vision-based autonomous vehicles. IEEE Internet Things J. 9(5), 3443ā3456 (2021)
Zhang, K., Zhang, Z., Li, Z., Qiao, Y.: Joint face detection and alignment using multitask cascaded convolutional networks. IEEE Signal Process. Lett. 23(10), 1499ā1503 (2016)
Szegedy, C., et al.: Intriguing properties of neural networks. arXiv:1312.6199 (2013)
Dong, Y., et al.: Benchmarking adversarial robustness on image classification. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 321ā331 (2020)
Goodfellow, I.J., Shlens, J. and Szegedy, C.: Explaining and harnessing adversarial examples. arXiv:1412.6572 (2014)
Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: Artificial Intelligence Safety and Security, pp. 99ā112. Chapman and Hall/CRC (2018)
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083 (2017)
Zhang, H., Avrithis, Y., Furon, T., Amsaleg, L.: Walking on the edge: fast, low-distortion adversarial examples. IEEE Trans. Inf. Forensics Secur. 16, 701ā713 (2020)
Wan, C., Ye, B., Huang, F.: PID-based approach to adversarial attacks. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 10033ā10040 (2021)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39ā57 (2017)
Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574ā2582 (2016)
Roth, K., Kilcher, Y., Hofmann, T.: The odds are odd: a statistical test for detecting adversarial examples. In: International Conference on Machine Learning, pp. 5498ā5507 (2019)
Wu, Y., Arora, S.S., Wu, Y., Yang, H.: Beating attackers at their own games: adversarial example detection using adversarial gradient directions. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 2969ā2977 (2021)
Liang, B., Li, H., Su, M., Li, X., Shi, W., Wang, X.: Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Trans. Dependable Sec. Comput. 18(1), 72ā85 (2018)
Guo, C., Rana, M., Cisse, M., Van Der Maaten, L.: Countering adversarial images using input transformations. arXiv:1711.00117 (2017)
Yin, Z., Wang, H., Wang, J., Tang, J., Wang, W.: Defense against adversarial attacks by low-level image transformations. Int. J. Intell. Syst. 35(10), 1453ā1466 (2020)
Xu, W., Evans, D., Qi, Y.: Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv:1704.01155 (2017)
Li, X., Li, F.: Adversarial examples detection in deep networks with convolutional filter statistics. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 5764ā5772 (2017)
Feinman, R., Curtin, R.R., Shintre, S. and Gardner, A.B.: Detecting adversarial samples from artifacts. arXiv:1703.00410 (2017)
Meng, D., Chen, H.: Magnet: a two-pronged defense against adversarial examples. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135ā147 (2017)
Carlini, N. and Wagner, D.: Adversarial examples are not easily detected: bypassing ten detection methods. In: Proceedings of the 10th ACM Workshop On Artificial Intelligence and Security, pp. 3ā14 (2017)
Tramer, F., Carlini, N., Brendel, W., Madry, A.: On adaptive attacks to adversarial example defenses. Adv. Neural. Inf. Process. Syst. 33, 1633ā1645 (2020)
Fan, W., Sun, G., Su, Y., Liu, Z., Lu, X.: Integration of statistical detector and Gaussian noise injection detector for adversarial example detection in deep neural networks. Multimed. Tools Appl. 78(14), 20409ā20429 (2019). https://doi.org/10.1007/s11042-019-7353-6
Liu, J., et al.: Detection based defense against adversarial examples from the steganalysis point of view. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4825ā4834 (2019)
Athalye, A., Engstrom, L., Ilyas, A. and Kwok, K.: Synthesizing robust adversarial examples. In: International Conference on Machine Learning, pp. 284ā293 (2018)
Fridrich, J., Kodovsky, J.: Rich models for steganalysis of digital images. IEEE Trans. Inf. Forensics Secur. 7(3), 868ā882 (2012)
Chen, J., Kang, X., Liu, Y., Wang, Z.J.: Median filtering forensics based on convolutional neural networks. IEEE Signal Process. Lett. 22(11), 1849ā1853 (2015)
Goljan, M., Fridrich, J., Cogranne, R.: Rich model for steganalysis of color images. In: 2014 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 185ā190 (2014)
Goljan, M., Fridrich, J. and Cogranne, R.: Rich model for steganalysis of color images. In: 2014 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 185ā190 (2014)
Boroumand, M., Chen, M., Fridrich, J.: Deep residual network for steganalysis of digital images. IEEE Trans. Inf. Forensics Secur. 14(5), 1181ā1193 (2018)
Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. (TIST) 2(3), 1ā27 (2011)
Stamm, M.C., Wu, M., Liu, K.R.: Information forensics: an overview of the first decade. IEEE Access 1, 167ā200 (2013)
Bas, P., Filler, T. and PevnĆ½, T.: āBreak our steganographic systemā: the ins and outs of organizing BOSS. In: International Workshop on Information Hiding, pp.59ā70 (2011)
Hu, S., Yu, T., Guo, C., Chao, W.-L., Weinberger, K.Q.: A new defense against adversarial images: turning a weakness into a strength. In: Advances in Neural Information Processing Systems, pp. 1633ā1644 (2019)
Hosseini, H., Kannan, S., and Poovendran, R.: Are odds really odd? Bypassing statistical detection of adversarial examples. arXiv: 1907.12138 (2019)
Zhang, H., et al.: Theoretically principled trade-off between robustness and accuracy, In: International Conference on Machine Learning, pp. 7472ā7482 (2019)
Chen, Z., Tondi, B., Li, X., Ni, R., Zhao, Y., Barni, M.: A gradient-based pixel-domain attack against SVM detection of global image manipulations, In: 2017 IEEE Workshop on Information Forensics and Security (WIFS), pp. 1ā6 (2017)
Pevny, T., Bas, P., Fridrich, J.: Steganalysis by subtractive pixel adjacency matrix. IEEE Trans. Inf. Forensics Secur. 5(2), 215ā224 (2010)
Bryniarski O., Hingun N., Pachuca P., et al.: Evading adversarial example detection defenses with orthogonal projected gradient descent. arXiv: 2106.15023 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Peng, A., Li, C., Zhu, P., Huang, X., Zeng, H., Yu, W. (2023). Countering theĀ Anti-detection Adversarial Attacks. In: Tanveer, M., Agarwal, S., Ozawa, S., Ekbal, A., Jatowt, A. (eds) Neural Information Processing. ICONIP 2022. Communications in Computer and Information Science, vol 1791. Springer, Singapore. https://doi.org/10.1007/978-981-99-1639-9_41
Download citation
DOI: https://doi.org/10.1007/978-981-99-1639-9_41
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-1638-2
Online ISBN: 978-981-99-1639-9
eBook Packages: Computer ScienceComputer Science (R0)