Attack Agnostic Statistical Method for Adversarial Detection

TL;DR

This paper introduces a statistical method for detecting adversarial inputs in image classification by comparing feature distributions, demonstrating effectiveness across multiple datasets and attack types.

Contribution

A novel, attack-agnostic statistical approach for adversarial detection that utilizes feature distribution comparison with various statistical distances.

Findings

Effective detection on MNIST and CIFAR-10 datasets

Performance is robust across different attack methods and perturbation levels

Uses statistical distances like ED and MMD for detection

Abstract

Deep Learning based AI systems have shown great promise in various domains such as vision, audio, autonomous systems (vehicles, drones), etc. Recent research on neural networks has shown the susceptibility of deep networks to adversarial attacks - a technique of adding small perturbations to the inputs which can fool a deep network into misclassifying them. Developing defenses against such adversarial attacks is an active research area, with some approaches proposing robust models that are immune to such adversaries, while other techniques attempt to detect such adversarial inputs. In this paper, we present a novel statistical approach for adversarial detection in image classification. Our approach is based on constructing a per-class feature distribution and detecting adversaries based on comparison of features of a test image with the feature distribution of its class. For this purpose, we make use of various statistical distances such as ED (Energy Distance), MMD (Maximum Mean Discrepancy) for adversarial detection, and analyze the performance of each metric. We experimentally show that our approach achieves good adversarial detection performance on MNIST and CIFAR-10 datasets irrespective of the attack method, sample size and the degree of adversarial perturbation.