• Corpus ID: 202712891

# Defending Against Physically Realizable Attacks on Image Classification

@article{Wu2020DefendingAP,
title={Defending Against Physically Realizable Attacks on Image Classification},
author={Tong Wu and Liang Tong and Yevgeniy Vorobeychik},
journal={ArXiv},
year={2020},
volume={abs/1909.09552}
}
• Published 20 September 2019
• Computer Science, Mathematics
• ArXiv
We study the problem of defending deep neural network approaches for image classification from physically realizable attacks. First, we demonstrate that the two most scalable and effective methods for learning robust models, adversarial training with PGD attacks and randomized smoothing, exhibit very limited effectiveness against three of the highest profile physical attacks. Next, we propose a new abstract adversarial model, rectangular occlusion attacks, in which an adversary places a small…
58 Citations
Towards Defending against Adversarial Examples via Attack-Invariant Features
• Computer Science
ICML
• 2021
An adversarial feature learning mechanism to disentangle invariant features from adversarial noise is introduced and could provide better protection in comparison to previous state-of-theart approaches, especially against unseen types of attacks and adaptive attacks.
Minority Reports Defense: Defending Against Adversarial Patches
• Computer Science
ACNS Workshops
• 2020
This work proposes a defense against patch attacks based on partially occluding the image around each candidate patch location, so that a few occlusions each completely hide the patch.
• Computer Science
2021 17th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS)
• 2021
A novel attack method against video recognition models, Multiplicative Adversarial Videos (MultAV), which imposes perturbation on video data by multiplication, and can be generalized to not only $\ell_{p}$-norm attacks with a new adversary constraint called ratio bound, but also different types of physically realizable attacks.
Defending From Physically-Realizable Adversarial Attacks Through Internal Over-Activation Analysis
• Computer Science
ArXiv
• 2022
Z-Mask is a robust and effective strategy to improve the adversarial robustness of convolutional networks against physically-realizable adversarial attacks and outperforms the state-of-the-art methods in terms of both detection accuracy and overall performance of the networks under attack.
Adversarial Pixel Masking: A Defense against Physical Attacks for Pre-trained Object Detectors
• Computer Science
ACM Multimedia
• 2021
This paper proposes adversarial pixel masking (APM), a defense against physical attacks, which is designed specifically for pre-trained object detectors, and shows that APM can significantly improve model robustness without significantly degrading clean performance.
Defending against Universal Adversarial Patches by Clipping Feature Norms
• Computer Science
2021 IEEE/CVF International Conference on Computer Vision (ICCV)
• 2021
A simple yet effective defending approach is proposed using a new feature norm clipping (FNC) layer which is a differentiable module that can be flexibly inserted in different CNNs to adaptively suppress the generation of large norm deep feature vectors.
Clipped BagNet: Defending Against Sticker Attacks with Clipped Bag-of-features
• Computer Science, Mathematics
2020 IEEE Security and Privacy Workshops (SPW)
• 2020
This work examines the adversarial sticker attack, where the attacker places a sticker somewhere on an image to induce it to be misclassified, and takes a first step towards defending against such attacks using clipped BagNet, which bounds the influence that any limited-size sticker can have on the final classification.
• Computer Science
ArXiv
• 2021
Meta adversarial training (MAT) is proposed, a novel combination of adversarialTraining with meta-learning, which overcomes this challenge by meta- learning universal perturbations along with model training and considerably increases robustness against universal patch attacks.
Turning Your Strength against You: Detecting and Mitigating Robust and Universal Adversarial Patch Attack
• Computer Science
ArXiv
• 2021
Jjutsu is proposed, a technique to detect and mitigate robust and universal adversarial patch attacks against image classification deep neural networks, and can further defend against different variants of the basic attack.
Detecting Adversarial Patch Attacks through Global-local Consistency
• Computer Science
• 2021
This paper proposes a simple but very effective approach to detect adversarial patches based on an interesting observation called global-local consistency and proposes to use Random-Local-Ensemble strategy to further enhance it in the detection.

## References

SHOWING 1-10 OF 46 REFERENCES
• Computer Science
ICLR
• 2018
This work proposes a method based on a semidefinite relaxation that outputs a certificate that for a given network and test input, no attack can force the error to exceed a certain value, providing an adaptive regularizer that encourages robustness against all attacks.
SentiNet: Detecting Physical Attacks Against Deep Learning Systems
• Computer Science
ArXiv
• 2018
This work demonstrates the effectiveness of SentiNet on three different attacks— i.e., adversarial examples, data poisoning attacks, and trojaned networks—that have large variations in deployment mechanisms, and shows that the defense is able to achieve very competitive performance metrics for all three threats, even against strong adaptive adversaries with full knowledge ofSentiNet.
Towards Deep Learning Models Resistant to Adversarial Attacks
• Computer Science
ICLR
• 2018
This work studies the adversarial robustness of neural networks through the lens of robust optimization, and suggests the notion of security against a first-order adversary as a natural and broad security guarantee.
Robust Physical-World Attacks on Deep Learning Visual Classification
• Computer Science
2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition
• 2018
This work proposes a general attack algorithm, Robust Physical Perturbations (RP2), to generate robust visual adversarial perturbations under different physical conditions and shows that adversarial examples generated using RP2 achieve high targeted misclassification rates against standard-architecture road sign classifiers in the physical world under various environmental conditions, including viewpoints.
• Computer Science
ICLR
• 2017
It is shown empirically that adversarial perturbations can be detected surprisingly well even though they are quasi-imperceptible to humans.
• Computer Science
ICML
• 2018
The existence of robust 3D adversarial objects is demonstrated, and the first algorithm for synthesizing examples that are adversarial over a chosen distribution of transformations is presented, which synthesizes two-dimensional adversarial images that are robust to noise, distortion, and affine transformation.
Certified Robustness to Adversarial Examples with Differential Privacy
• Computer Science
2019 IEEE Symposium on Security and Privacy (SP)
• 2019
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
Unrestricted Adversarial Examples via Semantic Manipulation
• Computer Science
ICLR
• 2020
This paper introduces "unrestricted" perturbations that manipulate semantically meaningful image-based visual descriptors -- color and texture -- in order to generate effective and photorealistic adversarial examples.
Semidefinite relaxations for certifying robustness to adversarial examples
• Computer Science
NeurIPS
• 2018
A new semidefinite relaxation for certifying robustness that applies to arbitrary ReLU networks is proposed and it is shown that this proposed relaxation is tighter than previous relaxations and produces meaningful robustness guarantees on three different foreign networks whose training objectives are agnostic to the proposed relaxation.