Towards Understanding and Harnessing the Effect of Image Transformation in Adversarial Detection

TL;DR

This paper reviews and advances the use of image transformations for adversarial example detection in deep neural networks, proposing a new DNN-based ensemble method that improves detection robustness and explains transformation contributions.

Contribution

Introduces AdvJudge, a novel DNN-based ensemble method combining multiple image transformations for improved adversarial detection, along with an explainability analysis of transformation contributions.

Findings

Individual transformations are insufficient alone for robust detection.

Combining multiple transformations significantly improves detection rates.

AdvJudge outperforms existing methods against state-of-the-art attacks.

Abstract

Deep neural networks (DNNs) are threatened by adversarial examples. Adversarial detection, which distinguishes adversarial images from benign images, is fundamental for robust DNN-based services. Image transformation is one of the most effective approaches to detect adversarial examples. During the last few years, a variety of image transformations have been studied and discussed to design reliable adversarial detectors. In this paper, we systematically synthesize the recent progress on adversarial detection via image transformations with a novel classification method. Then, we conduct extensive experiments to test the detection performance of image transformations against state-of-the-art adversarial attacks. Furthermore, we reveal that each individual transformation is not capable of detecting adversarial examples in a robust way, and propose a DNN-based approach referred to as \emph{AdvJudge}, which combines scores of 9 image transformations. Without knowing which individual scores are misleading or not misleading, AdvJudge can make the right judgment, and achieve a significant improvement in detection rate. Finally, we utilize an explainable AI tool to show the contribution of each image transformation to adversarial detection. Experimental results show that the contribution of image transformations to adversarial detection is significantly different, the combination of them can significantly improve the generic detection ability against state-of-the-art adversarial attacks.