Computer Science > Cryptography and Security
[Submitted on 23 Dec 2018 (v1), revised 29 Mar 2019 (this version, v2), latest version 31 Jul 2019 (v3)]
Title:AEPecker: L0 Adversarial Examples are not Strong Enough
View PDFAbstract:Despite the great achievements made by neural networks on tasks such as image classification, they are brittle and vulnerable to adversarial examples (AEs). By adding adversarial noise to input images, adversarial examples can be crafted to mislead neural network based image classifiers. One type of AE attack in particular, known as an L0 AE, has been used in several notable real-world incidents. Our observation is that, while L0 corruptions modify as few pixels as possible, they tend to cause large-amplitude perturbations to the modified pixels. We consider this to be an inherent limitation of L0 AEs which can be exploited. To show the weakness of L0 AEs, we thwart samples of these attacks by both detecting and rectifying them. The main novelty of the proposed detector is that we convert the AE detection problem into an image comparison problem by exploiting the inherent characteristics of L0 AEs. More concretely, given an image I, it is pre-processed to obtain another image I'. We use a Siamese network which is known to be effective in comparison, to take I and I' as the input pair. A well trained Siamese network can automatically capture the discrepancy between I and I' to detect L0 noises. In addition, the straightforward pre-processor based on heuristics can be deployed as an effective defense, having a high probability of removing the adversarial influence of L0 perturbations. The proposed technique shows not only a high accuracy but also a resilience to the adaptive adversary, which outperforms other state-of-the-art methods. We accordingly argue that L0 attacks are not strong enough.
Submission history
From: Fei Zuo [view email][v1] Sun, 23 Dec 2018 02:25:34 UTC (1,573 KB)
[v2] Fri, 29 Mar 2019 16:30:10 UTC (1,810 KB)
[v3] Wed, 31 Jul 2019 02:11:24 UTC (2,078 KB)
References & Citations
Bibliographic and Citation Tools
Bibliographic Explorer (What is the Explorer?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)
Code, Data and Media Associated with this Article
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)
Demos
Recommenders and Search Tools
Influence Flower (What are Influence Flowers?)
Connected Papers (What is Connected Papers?)
CORE Recommender (What is CORE?)
arXivLabs: experimental projects with community collaborators
arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.
Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.
Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.