Detecting Adversarial Examples from Sensitivity Inconsistency of Spatial-Transform Domain

TL;DR

This paper introduces a novel adversarial example detection method based on the sensitivity inconsistency between a primal classifier and a dual classifier, improving detection accuracy especially for small perturbations.

Contribution

The paper proposes the Sensitivity Inconsistency Detector (SID), leveraging the sensitivity difference between classifiers with transformed decision boundaries to detect adversarial examples.

Findings

SID outperforms state-of-the-art methods like LID, MD, and FS.

SID shows superior generalization in detecting small perturbation adversarial examples.

Experimental validation on ResNet and VGG demonstrates SID's effectiveness.

Abstract

Deep neural networks (DNNs) have been shown to be vulnerable against adversarial examples (AEs), which are maliciously designed to cause dramatic model output errors. In this work, we reveal that normal examples (NEs) are insensitive to the fluctuations occurring at the highly-curved region of the decision boundary, while AEs typically designed over one single domain (mostly spatial domain) exhibit exorbitant sensitivity on such fluctuations. This phenomenon motivates us to design another classifier (called dual classifier) with transformed decision boundary, which can be collaboratively used with the original classifier (called primal classifier) to detect AEs, by virtue of the sensitivity inconsistency. When comparing with the state-of-the-art algorithms based on Local Intrinsic Dimensionality (LID), Mahalanobis Distance (MD), and Feature Squeezing (FS), our proposed Sensitivity Inconsistency Detector (SID) achieves improved AE detection performance and superior generalization capabilities, especially in the challenging cases where the adversarial perturbation levels are small. Intensive experimental results on ResNet and VGG validate the superiority of the proposed SID.