Annual Computer Security Applications Conference (ACSAC) 2021

Full Program »

Two Souls in an Adversarial Image: Towards Universal Adversarial Example Detection using Multi-view Inconsistency

In the evasion attacks against deep neural networks (DNN), the attacker generates adversarial instances that are visually indistinguishable from benign samples and sends them to the target DNN to trigger misclassifications. In this paper, we propose a novel multi-view adversarial image detector, namely Argus, based on a novel observation. That is, there exist two ``souls'' in an adversarial instance, i.e., the visually unchanged content, which corresponds to the true label, and the added invisible perturbation, which corresponds to the misclassified label. Such inconsistencies could be further amplified through an autoregressive generative approach that generates images with seed pixels selected from the original image, a selected label, and pixel distributions learned from the training data. The generated images (i.e., the ``views'') will deviate significantly from the original one if the label is adversarial, demonstrating inconsistencies that Argus expects to detect. To this end, Argus first amplifies the discrepancies between the visual content of an image and its misclassified label induced by the attack using a set of regeneration mechanisms and then identifies an image as adversarial if the reproduced views deviate to a preset degree. Our experimental results show that Argus significantly outperforms two representative adversarial detectors in both detection accuracy and robustness against six well-known adversarial attacks.

Sohaib Kiani
University of Kansas

Sana Awan
University of Kansas

Chao Lan
University of Oklahoma

Fengjun Li
University of Kansas

Bo Luo
University of Kansas

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC