Adversarial Pixel and Patch Detection Using Attribution Analysis

Next-generation warfighters will use sensors and deep learning for advanced scene recognition and situational awareness. Adversarial pixel and patch attacks can severely degrade the performance of deep neural networks (DNNs). This poses a critical security threat future combat systems. Detecting adv...

Full description

Saved in:
Bibliographic Details
Main Authors: Walker, Chase, Simon, Dominic, Jha, Sumit Kumar, Ewetz, Rickard
Format: Conference Proceeding
Language:English
Subjects:
Adversarial Robustness
Backpropagation
Explainable Artificial Intelligence
Military communication
Object detection
Perturbation methods
Security
Semantic segmentation
Training
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Next-generation warfighters will use sensors and deep learning for advanced scene recognition and situational awareness. Adversarial pixel and patch attacks can severely degrade the performance of deep neural networks (DNNs). This poses a critical security threat future combat systems. Detecting adversarial attacks has been attempted before, but recent advances in explainable artificial intelligence (XAI) have opened the door to better detection methods using attribution analysis. In particular, we observe that benign and attacked images display different characteristics in their attribution maps. Benign images tend to have dense attributions due to the network focusing on the main object of the image, while attacked images tend to have more sparse attributions due to the widespread perturbations applied. Using this intuition, we propose a framework for adversarial attack detection in the form of a binary classifier. Using three methods: Integrated Gradients (IG), Guided Backpropagation (GBP), and Integrated Decision Gradients (IDG), we propose the training of a binary classifier that can analyze an attribution map to detect attacked input data. We evaluate the detection framework for three state-of-the-art attacks with the three attribution analysis methods. We find that IDG achieves state-of-the-art pixel attack detection performance with up to 99% accuracy, and GBP manages state-of-the-art patch detection performance achieving up to 88% accuracy.
ISSN:2155-7586
DOI:10.1109/MILCOM58377.2023.10356375