Learning to Separate Clusters of Adversarial Representations for Robust Adversarial Detection

TL;DR

This paper introduces a probabilistic adversarial detector that leverages the clustering of non-robust features in representation space to effectively identify adversarial examples, even against adaptive whitebox attacks.

Contribution

It proposes a novel likelihood-based detection method using clustering of non-robust features, enhancing robustness against adaptive adversarial attacks.

Findings

Effective detection of adversarial examples against whitebox attacks.

Utilizes clustering of non-robust features in representation space.

Improves robustness over existing detection methods.

Abstract

Although deep neural networks have shown promising performances on various tasks, they are susceptible to incorrect predictions induced by imperceptibly small perturbations in inputs. A large number of previous works proposed to detect adversarial attacks. Yet, most of them cannot effectively detect them against adaptive whitebox attacks where an adversary has the knowledge of the model and the defense method. In this paper, we propose a new probabilistic adversarial detector motivated by a recently introduced non-robust feature. We consider the non-robust features as a common property of adversarial examples, and we deduce it is possible to find a cluster in representation space corresponding to the property. This idea leads us to probability estimate distribution of adversarial representations in a separate cluster, and leverage the distribution for a likelihood based adversarial detector.