Attack Agnostic Detection of Adversarial Examples via Random Subspace Analysis

TL;DR

This paper introduces a novel attack-agnostic method for detecting adversarial examples using random subspace analysis, which outperforms existing strategies and requires less calibration data.

Contribution

The paper proposes a new detection technique based on random projections that is attack-agnostic and effective across diverse adversarial strategies.

Findings

Achieves high AUC scores between 0.92 and 0.98

Outperforms competing detection methods significantly

Requires less calibration data than existing approaches

Abstract

Whilst adversarial attack detection has received considerable attention, it remains a fundamentally challenging problem from two perspectives. First, while threat models can be well-defined, attacker strategies may still vary widely within those constraints. Therefore, detection should be considered as an open-set problem, standing in contrast to most current detection approaches. These methods take a closed-set view and train binary detectors, thus biasing detection toward attacks seen during detector training. Second, limited information is available at test time and typically confounded by nuisance factors including the label and underlying content of the image. We address these challenges via a novel strategy based on random subspace analysis. We present a technique that utilizes properties of random projections to characterize the behavior of clean and adversarial examples across a diverse set of subspaces. The self-consistency (or inconsistency) of model activations is leveraged to discern clean from adversarial examples. Performance evaluations demonstrate that our technique ($AUC\in[0.92, 0.98]$) outperforms competing detection strategies ($AUC\in[0.30,0.79]$), while remaining truly agnostic to the attack strategy (for both targeted/untargeted attacks). It also requires significantly less calibration data (composed only of clean examples) than competing approaches to achieve this performance.