Loading…

Feature-filter: Detecting adversarial examples by filtering out recessive features

Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary...

Full description

Saved in:
Bibliographic Details
Published in:Applied soft computing 2022-07, Vol.124, p.109027, Article 109027
Main Authors: Liu, Hui, Zhao, Bo, Ji, Minzhi, Peng, Yuefeng, Guo, Jiabao, Liu, Peng
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233
cites cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233
container_end_page
container_issue
container_start_page 109027
container_title Applied soft computing
container_volume 124
creator Liu, Hui
Zhao, Bo
Ji, Minzhi
Peng, Yuefeng
Guo, Jiabao
Liu, Peng
description Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives. •We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.
doi_str_mv 10.1016/j.asoc.2022.109027
format article
fullrecord <record><control><sourceid>elsevier_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1016_j_asoc_2022_109027</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S1568494622003374</els_id><sourcerecordid>S1568494622003374</sourcerecordid><originalsourceid>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</originalsourceid><addsrcrecordid>eNp9kFFLwzAQx4MoOKdfwKd8gc7k2iap-CLTqTAQRJ_DLb1KRreOJCvu29tSn3264_j_jrsfY7dSLKSQ6m67wNi5BQiAYVAJ0GdsJo2GrFJGng99qUxWVIW6ZFcxbsUAVWBm7GNFmI6Bssa3icI9f6JELvn9N8e6pxAxeGw5_eDu0FLkmxOfkmOiOyYeyFGMvifeTJviNbtosI1081fn7Gv1_Ll8zdbvL2_Lx3XmciFSBrUsNJKBUoEgbSqqhCMALXADUjq1cSbHskYkdLXWhEAFFEVdVqrUkOdzBtNeF7oYAzX2EPwOw8lKYUcrdmtHK3a0YicrA_QwQTRc1nsKNjpPe0e1Hz5Jtu78f_gvuj1sgA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><source>Elsevier</source><creator>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</creator><creatorcontrib>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</creatorcontrib><description>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives. •We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</description><identifier>ISSN: 1568-4946</identifier><identifier>EISSN: 1872-9681</identifier><identifier>DOI: 10.1016/j.asoc.2022.109027</identifier><language>eng</language><publisher>Elsevier B.V</publisher><subject>Adversarial example ; Deep neural networks ; Discrete cosine transform ; Dominant features ; Recessive features</subject><ispartof>Applied soft computing, 2022-07, Vol.124, p.109027, Article 109027</ispartof><rights>2022 Elsevier B.V.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</citedby><cites>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</cites><orcidid>0000-0003-4307-9380 ; 0000-0003-1345-5736</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Liu, Hui</creatorcontrib><creatorcontrib>Zhao, Bo</creatorcontrib><creatorcontrib>Ji, Minzhi</creatorcontrib><creatorcontrib>Peng, Yuefeng</creatorcontrib><creatorcontrib>Guo, Jiabao</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><title>Applied soft computing</title><description>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives. •We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</description><subject>Adversarial example</subject><subject>Deep neural networks</subject><subject>Discrete cosine transform</subject><subject>Dominant features</subject><subject>Recessive features</subject><issn>1568-4946</issn><issn>1872-9681</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNp9kFFLwzAQx4MoOKdfwKd8gc7k2iap-CLTqTAQRJ_DLb1KRreOJCvu29tSn3264_j_jrsfY7dSLKSQ6m67wNi5BQiAYVAJ0GdsJo2GrFJGng99qUxWVIW6ZFcxbsUAVWBm7GNFmI6Bssa3icI9f6JELvn9N8e6pxAxeGw5_eDu0FLkmxOfkmOiOyYeyFGMvifeTJviNbtosI1081fn7Gv1_Ll8zdbvL2_Lx3XmciFSBrUsNJKBUoEgbSqqhCMALXADUjq1cSbHskYkdLXWhEAFFEVdVqrUkOdzBtNeF7oYAzX2EPwOw8lKYUcrdmtHK3a0YicrA_QwQTRc1nsKNjpPe0e1Hz5Jtu78f_gvuj1sgA</recordid><startdate>202207</startdate><enddate>202207</enddate><creator>Liu, Hui</creator><creator>Zhao, Bo</creator><creator>Ji, Minzhi</creator><creator>Peng, Yuefeng</creator><creator>Guo, Jiabao</creator><creator>Liu, Peng</creator><general>Elsevier B.V</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0003-4307-9380</orcidid><orcidid>https://orcid.org/0000-0003-1345-5736</orcidid></search><sort><creationdate>202207</creationdate><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><author>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Adversarial example</topic><topic>Deep neural networks</topic><topic>Discrete cosine transform</topic><topic>Dominant features</topic><topic>Recessive features</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Liu, Hui</creatorcontrib><creatorcontrib>Zhao, Bo</creatorcontrib><creatorcontrib>Ji, Minzhi</creatorcontrib><creatorcontrib>Peng, Yuefeng</creatorcontrib><creatorcontrib>Guo, Jiabao</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><collection>CrossRef</collection><jtitle>Applied soft computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Liu, Hui</au><au>Zhao, Bo</au><au>Ji, Minzhi</au><au>Peng, Yuefeng</au><au>Guo, Jiabao</au><au>Liu, Peng</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Feature-filter: Detecting adversarial examples by filtering out recessive features</atitle><jtitle>Applied soft computing</jtitle><date>2022-07</date><risdate>2022</risdate><volume>124</volume><spage>109027</spage><pages>109027-</pages><artnum>109027</artnum><issn>1568-4946</issn><eissn>1872-9681</eissn><abstract>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives. •We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</abstract><pub>Elsevier B.V</pub><doi>10.1016/j.asoc.2022.109027</doi><orcidid>https://orcid.org/0000-0003-4307-9380</orcidid><orcidid>https://orcid.org/0000-0003-1345-5736</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 1568-4946
ispartof Applied soft computing, 2022-07, Vol.124, p.109027, Article 109027
issn 1568-4946
1872-9681
language eng
recordid cdi_crossref_primary_10_1016_j_asoc_2022_109027
source Elsevier
subjects Adversarial example
Deep neural networks
Discrete cosine transform
Dominant features
Recessive features
title Feature-filter: Detecting adversarial examples by filtering out recessive features
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T18%3A32%3A18IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Feature-filter:%20Detecting%20adversarial%20examples%20by%20filtering%20out%20recessive%20features&rft.jtitle=Applied%20soft%20computing&rft.au=Liu,%20Hui&rft.date=2022-07&rft.volume=124&rft.spage=109027&rft.pages=109027-&rft.artnum=109027&rft.issn=1568-4946&rft.eissn=1872-9681&rft_id=info:doi/10.1016/j.asoc.2022.109027&rft_dat=%3Celsevier_cross%3ES1568494622003374%3C/elsevier_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true