What is it about?

We systematically show that the evaluation of the existing detection method against AEs is far from sufficient. Most of them, which were evaluated on small images and performed well previously, are shown to perform poorly on large images. In addition, they cannot work well across different models and attack algorithms. We propose a novel sensitivity-based detector to overcome the weaknesses of existing detection approaches. By utilizing 19 space mapping methods, the distribution of AEs can be distinguished from that of normal examples in the new feature space. Our detector makes a solid attempt to build a robust detector across different learning models and attack algorithms. We conduct a comprehensive evaluation of the proposed detector. The results show that the detector can achieve a high true-positive rate (TPR) (98%), whereas a low false-positive rate (FPR) (<1%), which significantly outperforms state-of-the-art detection approaches. In addition, the detector is very efficient (<0.1 s for detecting per input) and robust to adaptive attacks. Our detector can also be used to defend against white-box attacks. In particular, with our detector deployed, the success rates of white-box attacks drop below 5%.

Featured Image

Why is it important?

First, most existing methods were not comprehensively evaluated. They were only evaluated on small images such as modified national institute of standards and technology database (MNIST) and CIFAR10 Second, most of defences are lacking robustness. No matter how the attack parameters, algorithms, and target model change, a robust defence should be adaptive to them. Unfortunately, the previous detection-based defences are sensitive to the parameters and algorithms of attacks, and they are model specific. Third, most of the existing detection methods cannot defend well against white-box attacks, where the adversary knows the detector and the target model. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms.


Writing this paper was a great pleasure. We work together with the top experts in the field to finish the work. We solved a difficult problem and hope this paper can improve the defense level of adversarial examples and help more researchers learn this technology.

Xurong Li
Zhejiang University

Read the Original

This page is a summary of: Adversarial Examples Detection through the Sensibility in Space Mappings, IET Computer Vision, February 2020, the Institution of Engineering and Technology (the IET), DOI: 10.1049/iet-cvi.2019.0378.
You can read the full text:




The following have contributed to this page