SpectralDefense: Detecting Adversarial Attacks on CNNs in the Fourier Domain

TL;DR

SpectralDefense introduces Fourier domain analysis of images and feature maps to effectively detect adversarial attacks on CNNs, significantly improving detection rates over existing methods.

Contribution

The paper presents two novel Fourier-based detection methods for adversarial attacks, enhancing detection accuracy and robustness in CNNs.

Findings

Successfully detects adversarial attacks using Fourier magnitude spectrum.

Improved detection rates by incorporating phase information of feature maps.

Effective against multiple common attack methods.

Abstract

Despite the success of convolutional neural networks (CNNs) in many computer vision and image analysis tasks, they remain vulnerable against so-called adversarial attacks: Small, crafted perturbations in the input images can lead to false predictions. A possible defense is to detect adversarial examples. In this work, we show how analysis in the Fourier domain of input images and feature maps can be used to distinguish benign test samples from adversarial images. We propose two novel detection methods: Our first method employs the magnitude spectrum of the input images to detect an adversarial attack. This simple and robust classifier can successfully detect adversarial perturbations of three commonly used attack methods. The second method builds upon the first and additionally extracts the phase of Fourier coefficients of feature-maps at different layers of the network. With this extension, we are able to improve adversarial detection rates compared to state-of-the-art detectors on five different attack methods.