Adversarially Robust One-class Novelty Detection

TL;DR

This paper introduces PrincipaLS, a novel defense method that manipulates the latent space of deep one-class novelty detectors to improve their robustness against adversarial attacks, outperforming existing defenses.

Contribution

We propose PrincipaLS, a latent space manipulation technique that enhances adversarial robustness of deep novelty detectors specifically designed for one-class novelty detection.

Findings

PrincipaLS significantly improves robustness against eight types of attacks.

It effectively purifies the latent space, maintaining the known class distribution.

Experiments show consistent robustness gains across multiple datasets and models.

Abstract

One-class novelty detectors are trained with examples of a particular class and are tasked with identifying whether a query example belongs to the same known class. Most recent advances adopt a deep auto-encoder style architecture to compute novelty scores for detecting novel class data. Deep networks have shown to be vulnerable to adversarial attacks, yet little focus is devoted to studying the adversarial robustness of deep novelty detectors. In this paper, we first show that existing novelty detectors are susceptible to adversarial examples. We further demonstrate that commonly-used defense approaches for classification tasks have limited effectiveness in one-class novelty detection. Hence, we need a defense specifically designed for novelty detection. To this end, we propose a defense strategy that manipulates the latent space of novelty detectors to improve the robustness against adversarial examples. The proposed method, referred to as Principal Latent Space (PrincipaLS), learns the incrementally-trained cascade principal components in the latent space to robustify novelty detectors. PrincipaLS can purify latent space against adversarial examples and constrain latent space to exclusively model the known class distribution. We conduct extensive experiments on eight attacks, five datasets and seven novelty detectors, showing that PrincipaLS consistently enhances the adversarial robustness of novelty detection models. Code is available at https://github.com/shaoyuanlo/PrincipaLS