TY - GEN
T1 - Defense Against Adversarial Examples Using Beneficial Noise
AU - Raval, Param
AU - Khakhi, Harin
AU - Kuribayashi, Minoru
AU - Raval, Mehul S.
N1 - Funding Information:
This research was supported by the JSPS KAKENHI Grant Number 19K22846 and 22K19777, JST SICORP Grant Number JPMJSC20C3, and JST CREST Grant Number JP-MJCR20D3, Japan.
Publisher Copyright:
© 2022 Asia-Pacific of Signal and Information Processing Association (APSIPA).
PY - 2022
Y1 - 2022
N2 - The state-of-the-art techniques create adversarial examples with a very low-intensity noise making the detection very hard. In the proposed work, we explore adding extra noise and filtering operations to differentiate between benign and adversarial examples. We hypothesize that adding lightweight noise affects the classification probability of adversarial examples more than benign ones. The proposed architecture uses them as features to train a binary classifier and detect adversarial examples in high-resolution, real-world images. Specifically, we look at beneficial noise generated through targeted adversarial attacks and noise from JPEG compression to perturb adversarial examples. Our standard classifier was able to distinguish benign and adversarial for BIM, PGD, and DeepFool in, approximately, 96.5%, 97%, and 85% of the cases, respectively, on high-resolution images from the ImageNet dataset.
AB - The state-of-the-art techniques create adversarial examples with a very low-intensity noise making the detection very hard. In the proposed work, we explore adding extra noise and filtering operations to differentiate between benign and adversarial examples. We hypothesize that adding lightweight noise affects the classification probability of adversarial examples more than benign ones. The proposed architecture uses them as features to train a binary classifier and detect adversarial examples in high-resolution, real-world images. Specifically, we look at beneficial noise generated through targeted adversarial attacks and noise from JPEG compression to perturb adversarial examples. Our standard classifier was able to distinguish benign and adversarial for BIM, PGD, and DeepFool in, approximately, 96.5%, 97%, and 85% of the cases, respectively, on high-resolution images from the ImageNet dataset.
UR - http://www.scopus.com/inward/record.url?scp=85146266010&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85146266010&partnerID=8YFLogxK
U2 - 10.23919/APSIPAASC55919.2022.9979828
DO - 10.23919/APSIPAASC55919.2022.9979828
M3 - Conference contribution
AN - SCOPUS:85146266010
T3 - Proceedings of 2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2022
SP - 1842
EP - 1848
BT - Proceedings of 2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2022
Y2 - 7 November 2022 through 10 November 2022
ER -