Detecting adversarial examples by positive and negative representations

Highlights

• We propose a PNDetector to detect perturbations which is simple and efficient.

• We use PNClassifiers as part of the PNDetector rather than traditional classifiers.

• We use eight methods to generate examples to test the performance of the detector.

Abstract

Deep neural networks (DNNs) have been successfully applied in various fields. However, it has been demonstrated that a well-designed and quasi-imperceptible perturbation can confuse the targeted DNNs classifier with high confidence and lead to misclassification. Examples with such perturbations are called adversarial examples, and it is a challenging task to detect them. In this paper, we propose a positive–negative detector (PNDetector) to detect adversarial examples. The PNDetector is based on a positive–negative classifier (PNClassifier), which is trained by both the original examples (called positive representations) and their negative representations with the same structural and semantic features. The principle of the PNDetector is that the feature space of the positive and negative representations of adversarial examples under the PNClassifier has a high probability of belonging to different categories, while its performance on clean examples is not reduced by adding negative example representations into the train set. We test the PNDetector with adversarial examples generated by eight typical attack methods on four typical datasets. The experimental results demonstrate that the proposed detector is efficient in all datasets and under all attack types. Furthermore, its detection performance is comparable to that of state-of-the-art methods.

Introduction

In recent years, deep neural networks (DNNs) have been widely used in machine learning tasks, in particular speech recognition [1], face recognition [2], autonomous driving [3], and riverside monitoring systems [4]. However, it has been demonstrated that DNNs are susceptible to adversarial perturbations. That is, small perturbations that could cause legitimate images to be misclassified with high confidence. Such examples, which lead to misclassification, are called adversarial examples [5]. Attacking a DNN model in this manner may have serious consequences. For example, an attack on a facial feature recognition system may result in illegal access, a misjudgment by an automated driving system may cause a car accident, or a virus spoofing a malicious code detection system may seriously damage a computer.

The widespread application of DNNs has attracted considerable attention to the defense of adversarial examples. However, this is a challenging task. First, there are various adversarial examples generated by different attacks. It is difficult to establish a unified model to describe the intrinsic characteristics of these adversarial examples. Second, the perturbations are mostly solutions of non-convex nonlinear optimization problems, whose theoretical basis is not well understood [6]. Therefore, it is difficult to form a systematic theoretical explanation of the existence of adversarial examples in the DNN models, and the defense based on network flaws also becomes difficult.

Existing detection methods require a lot of time-consuming computations. In order to propose a fast and effective detection algorithm, we consider the use of negative information representation to study adversarial sample detectors. Information negative representation is a branch of immune computing used for information security and privacy protection [7], [8], [9]. Inspired by the negative representation of information [10], [11], we can easily flip the pixels of the original image to construct a negative image. These negative images have different pixel values from the original image, but have the same semantics, which is very meaningful. Firstly, negative images can be generated without any auxiliary information to enrich the dataset, so as to make the decision boundary of the model more accurate. Secondly, the existing attacks are basically attacks on positive samples. At the same time, there is a high probability that there is a difference between the positive adversarial samples and the negative adversarial samples (the negative representation of the positive adversarial samples), so we can perform difference analysis on the positive and negative images to detect Adversarial samples.

This paper focuses on adversarial examples concerning the feature space. A positive–negative detector (PNDetector) is proposed to detect adversarial examples, which is an attack-agnostic detection method. That is, when PNDetector detects the adversarial example, it does not know what kind of attack methods the example was generated by. The starting point of our study is that it is difficult to defend against adversarial perturbations, and thus we choose to study the intrinsic feature space of negative representation examples that negate all pixels. Negative representation image refers to the inversion of the original image, namely $1-x$, when the original image is $x$, and the pixel value is normalized to the interval [0,1]. Given that negative and positive images often have the same semantic structure [12], we reasonably propose PNClassifier, which adds negative representation samples to the training set. PNClassifier can enforce the similarity of normal positive and negative samples and map the adversarial positive and negative ones into the disjoint example space. Therefore, if the similarity of an unknown example is large (as calculated by the proposed detector), then the example is legitimate. However, if the difference is large, the example is judged to be adversarial, and its input is refused to avoid further damage.

In summary, the main contributions of this study are as follows.

• Based on the negative representation of information, we propose a PNDetector to detect adversarial perturbations. The detector is composed of a classifier and a set of decision strategies. It judges whether an input example is an adversarial example by comparing the output similarity of its positive and negative representation version. PNDetector is simple, computationally efficient, and does not rely on datasets, attack methods, and network models.

• We use PNClassifiers as part of the PNDetector rather than traditional classifiers. PNClassifiers are trained by original examples and their negative representations. According to the assignment strategy of negative example labels, three PNClassifiers are proposed. In the first, positive and negative examples use the same label, but in the other two, different labels are used.

• We use eight advanced attack methods to generate examples to test the performance of the detector. The experimental results indicate that compared with state-of-the-art detection methods, the PNDetector has competitive performance. What is more, the good performance of PNDetector inspired us the ability to simultaneously attack various representation examples will be an important factor in evaluating attack performance in the future.

The rest of this paper is organized as follows. Section 2 introduces the background and related work. Section 3 introduces the concept of negative representations of images, proposes the PNDetector, and use the PNClassifier to analyze the rationality of the PNDetector. Section 4 presents the algorithm settings and the experimental results by the PNClassifier and the PNDetector, and it compares the performance of the proposed method with that of several state-of-the-art algorithms. The final section concludes the paper and proposes possible future research directions.