Loading…
Feature-filter: Detecting adversarial examples by filtering out recessive features
Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary...
Saved in:
Published in: | Applied soft computing 2022-07, Vol.124, p.109027, Article 109027 |
---|---|
Main Authors: | , , , , , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
cited_by | cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233 |
---|---|
cites | cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233 |
container_end_page | |
container_issue | |
container_start_page | 109027 |
container_title | Applied soft computing |
container_volume | 124 |
creator | Liu, Hui Zhao, Bo Ji, Minzhi Peng, Yuefeng Guo, Jiabao Liu, Peng |
description | Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives.
•We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features. |
doi_str_mv | 10.1016/j.asoc.2022.109027 |
format | article |
fullrecord | <record><control><sourceid>elsevier_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1016_j_asoc_2022_109027</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S1568494622003374</els_id><sourcerecordid>S1568494622003374</sourcerecordid><originalsourceid>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</originalsourceid><addsrcrecordid>eNp9kFFLwzAQx4MoOKdfwKd8gc7k2iap-CLTqTAQRJ_DLb1KRreOJCvu29tSn3264_j_jrsfY7dSLKSQ6m67wNi5BQiAYVAJ0GdsJo2GrFJGng99qUxWVIW6ZFcxbsUAVWBm7GNFmI6Bssa3icI9f6JELvn9N8e6pxAxeGw5_eDu0FLkmxOfkmOiOyYeyFGMvifeTJviNbtosI1081fn7Gv1_Ll8zdbvL2_Lx3XmciFSBrUsNJKBUoEgbSqqhCMALXADUjq1cSbHskYkdLXWhEAFFEVdVqrUkOdzBtNeF7oYAzX2EPwOw8lKYUcrdmtHK3a0YicrA_QwQTRc1nsKNjpPe0e1Hz5Jtu78f_gvuj1sgA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><source>Elsevier</source><creator>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</creator><creatorcontrib>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</creatorcontrib><description>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives.
•We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</description><identifier>ISSN: 1568-4946</identifier><identifier>EISSN: 1872-9681</identifier><identifier>DOI: 10.1016/j.asoc.2022.109027</identifier><language>eng</language><publisher>Elsevier B.V</publisher><subject>Adversarial example ; Deep neural networks ; Discrete cosine transform ; Dominant features ; Recessive features</subject><ispartof>Applied soft computing, 2022-07, Vol.124, p.109027, Article 109027</ispartof><rights>2022 Elsevier B.V.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</citedby><cites>FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</cites><orcidid>0000-0003-4307-9380 ; 0000-0003-1345-5736</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Liu, Hui</creatorcontrib><creatorcontrib>Zhao, Bo</creatorcontrib><creatorcontrib>Ji, Minzhi</creatorcontrib><creatorcontrib>Peng, Yuefeng</creatorcontrib><creatorcontrib>Guo, Jiabao</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><title>Applied soft computing</title><description>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives.
•We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</description><subject>Adversarial example</subject><subject>Deep neural networks</subject><subject>Discrete cosine transform</subject><subject>Dominant features</subject><subject>Recessive features</subject><issn>1568-4946</issn><issn>1872-9681</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNp9kFFLwzAQx4MoOKdfwKd8gc7k2iap-CLTqTAQRJ_DLb1KRreOJCvu29tSn3264_j_jrsfY7dSLKSQ6m67wNi5BQiAYVAJ0GdsJo2GrFJGng99qUxWVIW6ZFcxbsUAVWBm7GNFmI6Bssa3icI9f6JELvn9N8e6pxAxeGw5_eDu0FLkmxOfkmOiOyYeyFGMvifeTJviNbtosI1081fn7Gv1_Ll8zdbvL2_Lx3XmciFSBrUsNJKBUoEgbSqqhCMALXADUjq1cSbHskYkdLXWhEAFFEVdVqrUkOdzBtNeF7oYAzX2EPwOw8lKYUcrdmtHK3a0YicrA_QwQTRc1nsKNjpPe0e1Hz5Jtu78f_gvuj1sgA</recordid><startdate>202207</startdate><enddate>202207</enddate><creator>Liu, Hui</creator><creator>Zhao, Bo</creator><creator>Ji, Minzhi</creator><creator>Peng, Yuefeng</creator><creator>Guo, Jiabao</creator><creator>Liu, Peng</creator><general>Elsevier B.V</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0003-4307-9380</orcidid><orcidid>https://orcid.org/0000-0003-1345-5736</orcidid></search><sort><creationdate>202207</creationdate><title>Feature-filter: Detecting adversarial examples by filtering out recessive features</title><author>Liu, Hui ; Zhao, Bo ; Ji, Minzhi ; Peng, Yuefeng ; Guo, Jiabao ; Liu, Peng</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Adversarial example</topic><topic>Deep neural networks</topic><topic>Discrete cosine transform</topic><topic>Dominant features</topic><topic>Recessive features</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Liu, Hui</creatorcontrib><creatorcontrib>Zhao, Bo</creatorcontrib><creatorcontrib>Ji, Minzhi</creatorcontrib><creatorcontrib>Peng, Yuefeng</creatorcontrib><creatorcontrib>Guo, Jiabao</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><collection>CrossRef</collection><jtitle>Applied soft computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Liu, Hui</au><au>Zhao, Bo</au><au>Ji, Minzhi</au><au>Peng, Yuefeng</au><au>Guo, Jiabao</au><au>Liu, Peng</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Feature-filter: Detecting adversarial examples by filtering out recessive features</atitle><jtitle>Applied soft computing</jtitle><date>2022-07</date><risdate>2022</risdate><volume>124</volume><spage>109027</spage><pages>109027-</pages><artnum>109027</artnum><issn>1568-4946</issn><eissn>1872-9681</eissn><abstract>Deep neural networks (DNNs) have achieved state-of-the-art performance in numerous tasks involving complex analysis of raw data, such as self-driving systems and biometric recognition systems. However, recent works have shown that DNNs are under threat from adversarial example attacks. The adversary can easily change the outputs of DNNs by adding small well-designed perturbations to inputs. Adversarial example detection is fundamental for robust DNN-based services. From a human-centric perspective, this paper divides image features into dominant features comprehensible to humans and recessive features incomprehensible to humans yet exploited by DNNs. Based on this perspective, the paper proposes a new viewpoint that imperceptible adversarial examples are the product of recessive features misleading neural networks, and that the adversarial attack enriches these recessive features. The imperceptibility of the adversarial examples indicates that the perturbations enrich recessive features but hardly affect dominant features. Therefore, adversarial examples are sensitive to filtering out recessive features, while benign examples are immune to such operations. Inspired by this idea, we propose a label-only adversarial detector that is referred to as a feature-filter. The feature-filter utilizes the discrete cosine transform (DCT) to approximately separate recessive features from dominant features and obtain a filtered image. A comprehensive user study demonstrates that the DCT-based filter can reliably filter out recessive features from the test image. By comparing only the DNN’s prediction labels on the input and its filtered version, the feature-filter can detect imperceptible adversarial examples in real time with high accuracy and few false-positives.
•We reveal the reason for the existence of imperceptible adversarial examples.•We propose a label-only approach to detect imperceptible adversarial examples.•We design a DCT-based filter to reliably filter out recessive features.</abstract><pub>Elsevier B.V</pub><doi>10.1016/j.asoc.2022.109027</doi><orcidid>https://orcid.org/0000-0003-4307-9380</orcidid><orcidid>https://orcid.org/0000-0003-1345-5736</orcidid></addata></record> |
fulltext | fulltext |
identifier | ISSN: 1568-4946 |
ispartof | Applied soft computing, 2022-07, Vol.124, p.109027, Article 109027 |
issn | 1568-4946 1872-9681 |
language | eng |
recordid | cdi_crossref_primary_10_1016_j_asoc_2022_109027 |
source | Elsevier |
subjects | Adversarial example Deep neural networks Discrete cosine transform Dominant features Recessive features |
title | Feature-filter: Detecting adversarial examples by filtering out recessive features |
url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T18%3A32%3A18IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Feature-filter:%20Detecting%20adversarial%20examples%20by%20filtering%20out%20recessive%20features&rft.jtitle=Applied%20soft%20computing&rft.au=Liu,%20Hui&rft.date=2022-07&rft.volume=124&rft.spage=109027&rft.pages=109027-&rft.artnum=109027&rft.issn=1568-4946&rft.eissn=1872-9681&rft_id=info:doi/10.1016/j.asoc.2022.109027&rft_dat=%3Celsevier_cross%3ES1568494622003374%3C/elsevier_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c300t-2d147ae825620e789e90ce2270ab211c6bc83a5daaeacd77ea2e4244d59657233%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |