检索结果-内蒙古大学图书馆

adversarial example detection by predicting adversarial noise in the frequency domain

MULTIMEDIA TOOLS AND APPLICATIONS 2023年第16期82卷 25235-25251页

作者： Jung, Seunghwan Chung, Minyoung Shin, Yeong-Gil Seoul Natl Univ Dept Comp Sci & Engn 1 Gwanak Ro Seoul 08826 South Korea Soongsil Univ Sch Software 369 Sangdo Ro Seoul 06978 South Korea

Recent advances in deep neural network (DNN) techniques have increased the importance of security and robustness of algorithms where DNNs are applied. However, several studies have demonstrated that neural networks are vulnerable to adversarial examples, which are generated by adding crafted adversarial noises to the input images. Because the adversarial noises are typically imperceptible to the human eye, it is difficult to defend DNNs. One method of defense is the detection of adversarial examples by analyzing characteristics of input images. Recent studies have used the hidden layer outputs of the target classifier to improve the robustness but need to access the target classifier. Moreover, there is no post-processing step for the detected adversarial examples. They simply discard the detected adversarial images. To resolve this problem, we propose a novel detection-based method, which predicts the adversarial noise and detects the adversarial example based on the predicted noise without any target classification information. We first generated adversarial examples and adversarial noises, which can be obtained from the residual between the original and adversarial example images. Subsequently, we trained the proposed adversarial noise predictor to estimate the adversarial noise image and trained the adversarial detector using the input images and the predicted noises. The proposed framework has the advantage that it is agnostic to the input image modality. Moreover, the predicted noises can be used to reconstruct the detected adversarial examples as the non-adversarial images instead of discarding the detected adversarial examples. We tested our proposed method against the fast gradient sign method (FGSM), basic iterative method (BIM), projected gradient descent (PGD), Deepfool, and Carlini & Wagner adversarial attack methods on the CIFAR-10 and CIFAR-100 datasets provided by the Canadian Institute for Advanced Research (CIFAR). Our method demonstrated significa

关键词： adversarial example detection adversarial noise prediction Frequency domain classification Prediction-based adversarial detection

来源：评论

学校读者我要写书评

暂无评论

adversarial example detection based on saliency map features

引用

APPLIED INTELLIGENCE 2022年第6期52卷 6262-6275页

作者： Wang, Shen Gong, Yuxin Harbin Inst Technol Harbin Peoples R China

In recent years, machine learning has greatly improved image recognition capability. However, studies have shown that neural network models are vulnerable to adversarial examples that make models output wrong answers with high confidence. To understand the vulnerabilities of models, we use interpretability methods to reveal the internal decision-making behaviors of models. Interpretation results reflect that the evolutionary process of nonnormalized saliency maps between clean and adversarial examples are increasingly differentiated along model hidden layers. By taking advantage of this phenomenon, we propose an adversarial example detection method based on multilayer saliency features, which can comprehensively capture the abnormal characteristics of adversarial example interpretations. Experimental results show that the proposed method can effectively detect adversarial examples based on gradient, optimization and black-box attacks, and it is comparable with the state-of-the-art methods.

关键词： Machine learning adversarial example detection Interpretability Saliency map

来源：评论

学校读者我要写书评

暂无评论

adversarial example detection BAYESIAN GAME 30

ADVERSARIAL EXAMPLE DETECTION BAYESIAN GAME

引用

30th IEEE International Conference on Image Processing (ICIP)

作者： Zeng, Hui Chen, Biwei Deng, Kang Peng, Anjie Southwest Univ Sci & Technol Mianyang Sichuan Peoples R China Beijing Normal Univ Beijing Peoples R China

ISBN: (纸本)9781728198354

Despite the increasing attack ability and transferability of adversarial examples (AE), their security, i.e., how unlikely they can be detected, has been ignored more or less. Without the ability to circumvent popular detectors, the chance that an AE successfully fools a deep neural network is slim. This paper gives a game theory analysis of the interplay between an AE attacker and an AE detection investigator. Taking the perspective of a third party, we introduce a game theory model to evaluate the ultimate performance when both the attacker and the investigator are aware of each other. Further, a Bayesian game is adopted to address the information asymmetry in practice. Solving the mixed-strategy Nash equilibrium of the game, both parties' optimal strategies are obtained, and the security of AEs can be evaluated. We evaluate four popular attacks under a two-step test on ImageNet. The results may throw light on how a farsighted attacker or investigator will act in this adversarial environment. Our code is available at: https://***/zengh5/AED_BGame.

关键词： adversarial examples adversarial example detection game theory Bayesian game mixedstrategy Nash equilibrium

来源：评论

学校读者我要写书评

暂无评论

Robust adversarial example detection Algorithm Based on High-Level Feature Differences

引用

SENSORS 2025年第6期25卷 1770-1770页

作者： Mu, Hua Li, Chenggang Peng, Anjie Wang, Yangyang Liang, Zhenyu Natl Univ Def Technol Coll Elect Engn Hefei 230037 Peoples R China First Peoples Hosp Guangyuan Guangyuan 628017 Peoples R China Southwest Univ Sci & Technol Sch Comp Sci & Technol Mianyang 621010 Peoples R China Jianghuai Adv Technol Ctr Jianghuai 230031 Peoples R China

The threat posed by adversarial examples (AEs) to deep learning applications has garnered significant attention from the academic community. In response, various defense strategies have been proposed, including adversarial example detection. A range of detection algorithms has been developed to differentiate between benign samples and adversarial examples. However, the detection accuracy of these algorithms is significantly influenced by the characteristics of the adversarial attacks, such as attack type and intensity. Furthermore, the impact of image preprocessing on detection robustness-a common step before adversarial example generation-has been largely overlooked in prior research. To address these challenges, this paper introduces a novel adversarial example detection algorithm based on high-level feature differences (HFDs), which is specifically designed to improve robustness against both attacks and preprocessing operations. For each test image, a counterpart image with the same predicted label is randomly selected from the training dataset. The high-level features of both images are extracted using an encoder and compared through a similarity measurement model. If the feature similarity is low, the test image is classified as an adversarial example. The proposed method was evaluated for detection accuracy against four comparison methods, showing significant improvements over FS, DF, and MD, with a performance comparable to ESRM. Therefore, the subsequent robustness experiments focused exclusively on ESRM. Our results demonstrate that the proposed method exhibits superior robustness against preprocessing operations, such as downsampling and common corruptions, applied by attackers before generating adversarial examples. It is also applicable to various target models. By exploiting semantic conflicts in high-level features between clean and adversarial examples with the same predicted label, the method achieves high detection accuracy across diverse attack typ

关键词： adversarial example detection feature differences feature encoder similarity measurement model robustness

来源：评论

学校读者我要写书评

暂无评论

AED-PADA: Improving Generalizability of adversarial example detection via Principal adversarial Domain Adaptation

引用

ACM TRANSACTIONS ON MULTIMEDIA COMPUTING COMMUNICATIONS AND APPLICATIONS 2025年第2期21卷 1-24页

作者： Peng, Heqi Wang, Yunhong Yang, Ruijie Li, Beichen Wang, Rui Guo, Yuanfang Beihang Univ Sch Comp Sci & Engn Beijing Peoples R China Chinese Acad Sci State Key Lab Informat Secur Inst Informat Engn Beijing Peoples R China

adversarial example detection, which can be conveniently applied in many scenarios, is important in the area of adversarial defense. Unfortunately, existing detection methods suffer from poor generalization performance because their training process usually relies on the examples generated from a single known adversarial attack and there exists a large discrepancy between the training and unseen testing adversarial examples. To address this issue, we propose a novel method, named adversarial example detection via Principal adversarial Domain Adaptation (AED-PADA). Specifically, our approach identifies the Principal adversarial Domains (PADs), i.e., a combination of features of the adversarial examples generated by different attacks, which possesses a large portion of the entire adversarial feature space. Subsequently, we pioneer to exploit Multi-source Unsupervised Domain Adaptation in adversarial example detection, with PADs as the source domains. Experimental results demonstrate the superior generalization ability of our proposed AED-PADA. Note that this superiority is particularly achieved in challenging scenarios characterized by employing the minimal magnitude constraint for the perturbations.

关键词： adversarial defense adversarial example detection generalization ability

来源：评论

学校读者我要写书评

暂无评论

Revisiting model's uncertainty and confidences for adversarial example detection

引用

APPLIED INTELLIGENCE 2023年第1期53卷 509-531页

作者： Aldahdooh, Ahmed Hamidouche, Wassim Deforges, Olivier Univ Rennes CNRS INSA Rennes IETR UMR 6164 F-35000 Rennes France

Security-sensitive applications that rely on Deep Neural Networks (DNNs) are vulnerable to small perturbations that are crafted to generate adversarial examples. The (AEs) are imperceptible to humans and cause DNN to misclassify them. Many defense and detection techniques have been proposed. Model's confidences and Dropout, as a popular way to estimate the model's uncertainty, have been used for AE detection but they showed limited success against black- and gray-box attacks. Moreover, the state-of-the-art detection techniques have been designed for specific attacks or broken by others, need knowledge about the attacks, are not consistent, increase model parameters overhead, are time-consuming, or have latency in inference time. To trade off these factors, we revisit the model's uncertainty and confidences and propose a novel unsupervised ensemble AE detection mechanism that 1) uses the uncertainty method called SelectiveNet, 2) processes model layers outputs, i.e. feature maps, to generate new confidence probabilities. The detection method is called SFAD. Experimental results show that the proposed approach achieves better performance against black- and gray-box attacks than the state-of-the-art methods and achieves comparable performance against white-box attacks. Moreover, results show that SFAD is fully robust against High Confidence Attacks (HCAs) for MNIST and partially robust for CIFAR10 datasets.(1)

关键词： adversarial examples adversarial attacks adversarial example detection Deep learning robustness

来源：评论

学校读者我要写书评

暂无评论

adversarial example detection using semantic graph matching

引用

APPLIED SOFT COMPUTING 2023年 141卷

作者： Gong, Yuxin Wang, Shen Jiang, Xunzhi Yin, Liyao Sun, Fanghui Harbin Inst Technol Harbin 150000 Heilongjiang Peoples R China

Deep neural networks have recently been found to be vulnerable to adversarial examples, which can deceive attacked models with high confidence. This has given rise to significant security threats and raised doubts about the reliability of deploying deep learning models in security-critical domains. Therefore, effectively dealing with various adversarial examples has become an essential but challenging requirement. adversarial example detection can predict the existence of adversarial examples in advance. However, existing detection methods are usually restricted to specific attacks, lacking generalization and decision-making bases. In this paper, we discover that the common characteristic of adversarial examples is to alter the semantic information recognized by models, which can effectively distinguish adversarial examples and provide interpretability. Based on this perspective, we propose a semantic graph matching (SeMatch) method to execute attack-agnostic adversarial example detection. SeMatch detects adversarial examples by comparing the constructed semantic graphs with the semantic graph prototypes of their predicted classes and further corrects their classification results. Experimental results demonstrate that SeMatch can effectively detect and classify adversarial examples in several attack settings, achieving an average detection and classification accuracy of 96.01% and 89.71%, respectively. When applied to unknown attack scenarios, SeMatch is more effective and interpretable than state-of-the-art methods. & COPY;2023 Elsevier B.V. All rights reserved.

关键词： Deep learning Security adversarial example detection Generalization Decision-making bases Interpretability Semantic graph Attack-agnostic

来源：评论

学校读者我要写书评

暂无评论

Staying in the Cat-and-Mouse Game: Towards Black-box adversarial example detection 2

Staying in the Cat-and-Mouse Game: Towards Black-box Adversa...

引用

2nd International Workshop on Deep Multimodal Generation and Retrieval (MMGR)

作者： Gao, Yifei Lin, Zhiyu Yang, Yunfan Sang, Jitao Yang, Xiaoshan Xu, Changsheng Beijing Jiaotong Univ Beijing Peoples R China Pengcheng Lab Shenzhen Peoples R China Chinese Acad Sci MAIS Inst Automat Beijing Peoples R China Univ Chinese Acad Sci Sch Artificial Intelligence Beijing Peoples R China

ISBN: (纸本)9798400712029

adversarial example detection is known to be an effective adversarial defense method. Black-box attack, which is a more realistic threat and has led to various black-box adversarial training-based defense methods, however, does not attract considerable attention in adversarial example detection. In this paper, we fill this gap by positioning the problem of black-box adversarial example detection (BAD). Data analysis under the introduced BAD settings demonstrates the incapability of existing detectors in addressing the black-box scenario. To address the BAD problem, we propose a data reconstruction based adversarial example detection method. Specifically, we use variational auto-encoder (VAE) to capture both pixel and frequency representations of normal examples. Then we use reconstruction error to detect adversarial examples. Compared with existing detection methods, the proposed method achieves substantially better detection performance in BAD, which helps promote the deployment of adversarial example detection-based defense solutions in real-world applications.

关键词： adversarial Attack adversarial example detection

来源：评论

学校读者我要写书评

暂无评论

SmsNet: A New Deep Convolutional Neural Network Model for adversarial example detection

引用

IEEE TRANSACTIONS ON MULTIMEDIA 2022年 24卷 230-244页

作者： Wang, Jinwei Zhao, Junjie Yin, Qilin Luo, Xiangyang Zheng, Yuhui Shi, Yun-Qing Jha, Sunil Kr Nanjing Univ Informat Sci & Technol Dept Comp & Software Nanjing 210044 Jiangsu Peoples R China State Key Lab Math Engn & Adv Comp Zhengzhou 450001 Henan Peoples R China Xidian Univ Shanxi Key Lab Network Syst Secur Xian 710071 Shaanxi Peoples R China Minist Educ Engn Res Ctr Digital Forens Nanjing 210044 Jiangsu Peoples R China Nanjing Univ Informat Sci & Technol Nanjing Peoples R China New Jersey Inst Technol Dept Elect & Comp Engn Newark NJ 07102 USA

The emergence of adversarial examples has had a significant impact on the development and application of deep learning. In this paper, a novel convolutional neural network model, the stochastic multifilter statistical network (SmsNet), is proposed for the detection of adversarial examples. A feature statistical layer is constructed to collect statistical data of feature map output from each convolutional layer in SmsNet by combining manual features with a neural network. The entire model is an end-to-end detection model, so the feature statistical layer is not independent of the network, and its output is directly transmitted to the fully connected layer by a short-cut connection called the SmsConnection. Additionally, a dynamic pruning strategy is introduced to simplify the model structure for better performance. The experiments demonstrate the effectiveness of the network structure and pruning strategy, and the proposed model achieves high detection rates against state-of-the-art adversarial attacks.

关键词： Feature extraction Training Manuals Perturbation methods Information science Principal component analysis Neural networks adversarial example detection dynamic pruning strategy feature statistical layer SmsConnection

来源：评论

学校读者我要写书评

暂无评论

FreqSense: Universal and Low-Latency adversarial example detection for Speaker Recognition with Interpretability in Frequency Domain

FreqSense: Universal and Low-Latency Adversarial Example Det...

引用

2025 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2025

作者： Huang, Yihuan Li, Yuanzhe Ren, Yanzhen Tu, Weiping Yang, Yuhong Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education China School of Cyber Science and Engineering Wuhan University China National Engineering Research Center for Multimedia Software School of Computer Science Wuhan University China

ISBN: (纸本)9798350368741

Speaker recognition (SR) systems are particularly vulnerable to adversarial example (AE) attacks. To mitigate these attacks, AE detection systems are typically integrated into SR systems. To overcome the limitations of low detection accuracy, poor generalization, and high latency in existing schemes, this paper proposes FreqSense, an AE detection scheme based on frequency distribution features. FreqSense detects a variety of unknown AE attacks with low latency, and provides interpretability in its detection process. The basic idea of FreqSense is that AE typically introduce carefully designed noise in specific frequency bands that are associated with highly distinctive speaker identities. Therefore, leveraging the distributional variations in these frequency bands can effectively distinguish between AE and benign audio. FreqSense models frequency distribution features by integrating time-frequency transformation technology with a self-attention mechanism and employs a neural network-based classifier to distinguish between AE and benign audio. Experimental results show that FreqSense achieves an overall detection accuracy of 99.2%, surpassing state-of-the-art (SOTA) schemes by 27.2%. When confronting unknown AE attacks, FreqSense achieves a detection accuracy of 98.3% with a latency of just 0.0014 seconds. © 2025 IEEE.

关键词： adversarial Attack adversarial example detection Speaker Recognition

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：