Towards A Conceptually Simple Defensive Approach for Few-shot classifiers Against Adversarial Support Samples

TL;DR

This paper introduces a simple, attack-agnostic detection method for few-shot classifiers to identify adversarial support sets, demonstrating effectiveness across datasets, classifiers, and attack strengths, and highlighting its generalizability.

Contribution

The work proposes a novel, conceptually simple detection approach based on self-similarity for defending few-shot classifiers against support set poisoning attacks.

Findings

Effective detection of adversarial support sets on miniImagenet and CUB datasets.

Outperforms baseline methods across multiple classifiers and attack strengths.

Demonstrates the generalizability of the detection approach with different filtering functions.

Abstract

Few-shot classifiers have been shown to exhibit promising results in use cases where user-provided labels are scarce. These models are able to learn to predict novel classes simply by training on a non-overlapping set of classes. This can be largely attributed to the differences in their mechanisms as compared to conventional deep networks. However, this also offers new opportunities for novel attackers to induce integrity attacks against such models, which are not present in other machine learning setups. In this work, we aim to close this gap by studying a conceptually simple approach to defend few-shot classifiers against adversarial attacks. More specifically, we propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering, to flag out adversarial support sets which destroy the understanding of a victim classifier for a certain class. Our extended evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance, across three different few-shot classifiers and across different attack strengths, beating baselines. Our observed results allow our approach to establishing itself as a strong detection method for support set poisoning attacks. We also show that our approach constitutes a generalizable concept, as it can be paired with other filtering functions. Finally, we provide an analysis of our results when we vary two components found in our detection approach.