Feature Fusion Based Adversarial Example Detection Against Second-Round Adversarial Attacks | IEEE Journals & Magazine | IEEE Xplore

Feature Fusion Based Adversarial Example Detection Against Second-Round Adversarial Attacks


Impact Statement:Currently, deep learning systems have important applications and outstanding performance in various areas, e.g., recognizing traffic objects in autopilot systems, classif...Show More

Abstract:

Convolutional neural networks (CNNs) achieve remarkable performances in various areas. However, adversarial examples threaten their security. They are designed to mislead...Show More
Impact Statement:
Currently, deep learning systems have important applications and outstanding performance in various areas, e.g., recognizing traffic objects in autopilot systems, classifying images for online search engines. But, their outputs will be wrong if inputs are added imperceptible malicious perturbations, called adversarial perturbations. For instance, the deep learning autopilot systems will ignore an adversarially perturbed “STOP” sign and keep moving. The detector proposed in this paper identifies various types of adversarial perturbations with averaging more than 95% accuracy. The adaptive perturbations against the detector only achieve about 10% success rate. With such detection accuracy and robustness, the detector can effectively protect deep learning systems from being attacked. For instance, it can help autopilot systems identify malicious objects. For online search engines, it can help to detect sensitive images that are hidden by adversarial perturbations.

Abstract:

Convolutional neural networks (CNNs) achieve remarkable performances in various areas. However, adversarial examples threaten their security. They are designed to mislead CNNs to output incorrect results. Many methods are proposed to detect adversarial examples. Unfortunately, most detection-based defense methods are vulnerable to second-round adversarial attacks, which can simultaneously deceive the base model and the detector. To resist such second-round adversarial attacks, handcrafted steganalysis features are introduced to detect adversarial examples, while such a method receives low accuracy at detecting sparse perturbations. In this article, we propose to combine handcrafted features with deep features via a fusion scheme to increase the detection accuracy and defend against second-round adversarial attacks. To avoid deep features being overwhelmed by high-dimensional handcrafted features, we propose an expansion-then-reduction process to compress the dimensionality of handcraft...
Published in: IEEE Transactions on Artificial Intelligence ( Volume: 4, Issue: 5, October 2023)
Page(s): 1029 - 1040
Date of Publication: 14 July 2022
Electronic ISSN: 2691-4581

Funding Agency:


References

References is not available for this document.