• Corpus ID: 202712891

Defending Against Physically Realizable Attacks on Image Classification

@article{Wu2020DefendingAP,
  title={Defending Against Physically Realizable Attacks on Image Classification},
  author={Tong Wu and Liang Tong and Yevgeniy Vorobeychik},
  journal={ArXiv},
  year={2020},
  volume={abs/1909.09552}
}
We study the problem of defending deep neural network approaches for image classification from physically realizable attacks. First, we demonstrate that the two most scalable and effective methods for learning robust models, adversarial training with PGD attacks and randomized smoothing, exhibit very limited effectiveness against three of the highest profile physical attacks. Next, we propose a new abstract adversarial model, rectangular occlusion attacks, in which an adversary places a small… 
Towards Defending against Adversarial Examples via Attack-Invariant Features
TLDR
An adversarial feature learning mechanism to disentangle invariant features from adversarial noise is introduced and could provide better protection in comparison to previous state-of-theart approaches, especially against unseen types of attacks and adaptive attacks.
Minority Reports Defense: Defending Against Adversarial Patches
TLDR
This work proposes a defense against patch attacks based on partially occluding the image around each candidate patch location, so that a few occlusions each completely hide the patch.
MultAV: Multiplicative Adversarial Videos
  • Shao-Yuan Lo, Vishal M. Patel
  • Computer Science
    2021 17th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS)
  • 2021
TLDR
A novel attack method against video recognition models, Multiplicative Adversarial Videos (MultAV), which imposes perturbation on video data by multiplication, and can be generalized to not only $\ell_{p}$-norm attacks with a new adversary constraint called ratio bound, but also different types of physically realizable attacks.
Defending From Physically-Realizable Adversarial Attacks Through Internal Over-Activation Analysis
TLDR
Z-Mask is a robust and effective strategy to improve the adversarial robustness of convolutional networks against physically-realizable adversarial attacks and outperforms the state-of-the-art methods in terms of both detection accuracy and overall performance of the networks under attack.
Adversarial Pixel Masking: A Defense against Physical Attacks for Pre-trained Object Detectors
TLDR
This paper proposes adversarial pixel masking (APM), a defense against physical attacks, which is designed specifically for pre-trained object detectors, and shows that APM can significantly improve model robustness without significantly degrading clean performance.
Defending against Universal Adversarial Patches by Clipping Feature Norms
TLDR
A simple yet effective defending approach is proposed using a new feature norm clipping (FNC) layer which is a differentiable module that can be flexibly inserted in different CNNs to adaptively suppress the generation of large norm deep feature vectors.
Clipped BagNet: Defending Against Sticker Attacks with Clipped Bag-of-features
TLDR
This work examines the adversarial sticker attack, where the attacker places a sticker somewhere on an image to induce it to be misclassified, and takes a first step towards defending against such attacks using clipped BagNet, which bounds the influence that any limited-size sticker can have on the final classification.
Meta Adversarial Training
TLDR
Meta adversarial training (MAT) is proposed, a novel combination of adversarialTraining with meta-learning, which overcomes this challenge by meta- learning universal perturbations along with model training and considerably increases robustness against universal patch attacks.
Turning Your Strength against You: Detecting and Mitigating Robust and Universal Adversarial Patch Attack
TLDR
Jjutsu is proposed, a technique to detect and mitigate robust and universal adversarial patch attacks against image classification deep neural networks, and can further defend against different variants of the basic attack.
Detecting Adversarial Patch Attacks through Global-local Consistency
TLDR
This paper proposes a simple but very effective approach to detect adversarial patches based on an interesting observation called global-local consistency and proposes to use Random-Local-Ensemble strategy to further enhance it in the detection.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 46 REFERENCES
Certified Defenses against Adversarial Examples
TLDR
This work proposes a method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value, providing an adaptive regularizer that encourages robustness against all attacks.
SentiNet: Detecting Physical Attacks Against Deep Learning Systems
TLDR
This work demonstrates the effectiveness of SentiNet on three different attacks— i.e., adversarial examples, data poisoning attacks, and trojaned networks—that have large variations in deployment mechanisms, and shows that the defense is able to achieve very competitive performance metrics for all three threats, even against strong adaptive adversaries with full knowledge ofSentiNet.
Towards Deep Learning Models Resistant to Adversarial Attacks
TLDR
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
Robust Physical-World Attacks on Deep Learning Visual Classification
TLDR
This work proposes a general attack algorithm, Robust Physical Perturbations (RP2), to generate robust visual adversarial perturbations under different physical conditions and shows that adversarial examples generated using RP2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints.
On Detecting Adversarial Perturbations
TLDR
It is shown empirically that adversarial perturbations can be detected surprisingly well even though they are quasi-imperceptible to humans.
Synthesizing Robust Adversarial Examples
TLDR
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
Certified Robustness to Adversarial Examples with Differential Privacy
TLDR
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
Unrestricted Adversarial Examples via Semantic Manipulation
TLDR
This paper introduces "unrestricted" perturbations that manipulate semantically meaningful image-based visual descriptors -- color and texture -- in order to generate effective and photorealistic adversarial examples.
Semidefinite relaxations for certifying robustness to adversarial examples
TLDR
A new semidefinite relaxation for certifying robustness that applies to arbitrary ReLU networks is proposed and it is shown that this proposed relaxation is tighter than previous relaxations and produces meaningful robustness guarantees on three different foreign networks whose training objectives are agnostic to the proposed relaxation.
Curriculum Adversarial Training
TLDR
It is demonstrated that CAT can improve the prior art's empirical worst-case accuracy by a large margin of 25% on CIFAR-10 and 35% on SVHN and the model's performance on non-adversarial inputs is comparable to the state-of-the-art models.
...
1
2
3
4
5
...