Defense against Universal Adversarial Perturbations

Naveed Akhtar; Jian Liu; Ajmal Mian

doi:10.1109/CVPR.2018.00357

Defense against Universal Adversarial Perturbations

Naveed Akhtar, Jian Liu, Ajmal Mian

School of Physics, Maths and Computing

Research output: Chapter in Book/Conference paper › Conference paper

18 Citations (Scopus)

Abstract

Recent advances in Deep Learning show the existence of image-agnostic quasi-imperceptible perturbations that when applied to `any' image can fool a state-of-the-art network classifier to change its prediction about the image label. These `Universal Adversarial Perturbations' pose a serious threat to the success of Deep Learning in practice. We present the first dedicated framework to effectively defend the networks against such perturbations. Our approach learns a Perturbation Rectifying Network (PRN) as `pre-input' layers to a targeted model, such that the targeted model needs no modification. The PRN is learned from real and synthetic image-agnostic perturbations, where an efficient method to compute the latter is also proposed. A perturbation detector is separately trained on the Discrete Cosine Transform of the input-output difference of the PRN. A query image is first passed through the PRN and verified by the detector. If a perturbation is detected, the output of the PRN is used for label prediction instead of the actual image. A rigorous evaluation shows that our framework can defend the network classifiers against unseen adversarial perturbations in the real-world scenarios with up to 97.5% success rate. The PRN also generalizes well in the sense that training for one targeted network defends another network with a comparable success rate.

Original language	English
Title of host publication	IEEE Conference on Computer Vision and Pattern Recognition
Place of Publication	United States
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	3389-3398
Number of pages	10
ISBN (Electronic)	9781538664209
ISBN (Print)	9781538664216
DOIs	https://doi.org/10.1109/CVPR.2018.00357
Publication status	Published - 18 Jun 2018
Event	2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition - Salt Lake City, United States Duration: 18 Jun 2018 → 23 Jun 2018

Conference

Conference	2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition
Country	United States
City	Salt Lake City
Period	18/06/18 → 23/06/18

Access to Document

10.1109/CVPR.2018.00357

http://openaccess.thecvf.com/content_cvpr_2018/papers/Akhtar_Defense_Against_Universal_CVPR_2018_paper.pdf

Fingerprint Dive into the research topics of 'Defense against Universal Adversarial Perturbations'. Together they form a unique fingerprint.

Cite this

Akhtar, N., Liu, J., & Mian, A. (2018). Defense against Universal Adversarial Perturbations. In IEEE Conference on Computer Vision and Pattern Recognition (pp. 3389-3398). United States: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/CVPR.2018.00357

@inproceedings{16f5c69af9374cfaa6f82fad5ec72e65,

title = "Defense against Universal Adversarial Perturbations",

abstract = "Recent advances in Deep Learning show the existence of image-agnostic quasi-imperceptible perturbations that when applied to `any' image can fool a state-of-the-art network classifier to change its prediction about the image label. These `Universal Adversarial Perturbations' pose a serious threat to the success of Deep Learning in practice. We present the first dedicated framework to effectively defend the networks against such perturbations. Our approach learns a Perturbation Rectifying Network (PRN) as `pre-input' layers to a targeted model, such that the targeted model needs no modification. The PRN is learned from real and synthetic image-agnostic perturbations, where an efficient method to compute the latter is also proposed. A perturbation detector is separately trained on the Discrete Cosine Transform of the input-output difference of the PRN. A query image is first passed through the PRN and verified by the detector. If a perturbation is detected, the output of the PRN is used for label prediction instead of the actual image. A rigorous evaluation shows that our framework can defend the network classifiers against unseen adversarial perturbations in the real-world scenarios with up to 97.5{\%} success rate. The PRN also generalizes well in the sense that training for one targeted network defends another network with a comparable success rate.",

author = "Naveed Akhtar and Jian Liu and Ajmal Mian",

year = "2018",

month = "6",

day = "18",

doi = "10.1109/CVPR.2018.00357",

language = "English",

isbn = "9781538664216",

pages = "3389--3398",

booktitle = "IEEE Conference on Computer Vision and Pattern Recognition",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States",

}

Akhtar, N, Liu, J & Mian, A 2018, Defense against Universal Adversarial Perturbations. in IEEE Conference on Computer Vision and Pattern Recognition. IEEE, Institute of Electrical and Electronics Engineers, United States, pp. 3389-3398, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, United States, 18/06/18. https://doi.org/10.1109/CVPR.2018.00357

TY - GEN

T1 - Defense against Universal Adversarial Perturbations

AU - Akhtar, Naveed

AU - Liu, Jian

AU - Mian, Ajmal

PY - 2018/6/18

Y1 - 2018/6/18

N2 - Recent advances in Deep Learning show the existence of image-agnostic quasi-imperceptible perturbations that when applied to `any' image can fool a state-of-the-art network classifier to change its prediction about the image label. These `Universal Adversarial Perturbations' pose a serious threat to the success of Deep Learning in practice. We present the first dedicated framework to effectively defend the networks against such perturbations. Our approach learns a Perturbation Rectifying Network (PRN) as `pre-input' layers to a targeted model, such that the targeted model needs no modification. The PRN is learned from real and synthetic image-agnostic perturbations, where an efficient method to compute the latter is also proposed. A perturbation detector is separately trained on the Discrete Cosine Transform of the input-output difference of the PRN. A query image is first passed through the PRN and verified by the detector. If a perturbation is detected, the output of the PRN is used for label prediction instead of the actual image. A rigorous evaluation shows that our framework can defend the network classifiers against unseen adversarial perturbations in the real-world scenarios with up to 97.5% success rate. The PRN also generalizes well in the sense that training for one targeted network defends another network with a comparable success rate.

AB - Recent advances in Deep Learning show the existence of image-agnostic quasi-imperceptible perturbations that when applied to `any' image can fool a state-of-the-art network classifier to change its prediction about the image label. These `Universal Adversarial Perturbations' pose a serious threat to the success of Deep Learning in practice. We present the first dedicated framework to effectively defend the networks against such perturbations. Our approach learns a Perturbation Rectifying Network (PRN) as `pre-input' layers to a targeted model, such that the targeted model needs no modification. The PRN is learned from real and synthetic image-agnostic perturbations, where an efficient method to compute the latter is also proposed. A perturbation detector is separately trained on the Discrete Cosine Transform of the input-output difference of the PRN. A query image is first passed through the PRN and verified by the detector. If a perturbation is detected, the output of the PRN is used for label prediction instead of the actual image. A rigorous evaluation shows that our framework can defend the network classifiers against unseen adversarial perturbations in the real-world scenarios with up to 97.5% success rate. The PRN also generalizes well in the sense that training for one targeted network defends another network with a comparable success rate.

U2 - 10.1109/CVPR.2018.00357

DO - 10.1109/CVPR.2018.00357

M3 - Conference paper

SN - 9781538664216

SP - 3389

EP - 3398

BT - IEEE Conference on Computer Vision and Pattern Recognition

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - United States

ER -