Defending From Physically-Realizable Adversarial Attacks Through Internal Over-Activation Analysis

TL;DR

This paper introduces Z-Mask, a novel defense mechanism that enhances convolutional networks' robustness against physically-realizable adversarial attacks by analyzing internal features to detect and mask adversarial regions.

Contribution

The paper proposes Z-Mask, a new internal feature analysis method that effectively detects and mitigates physically-realizable adversarial attacks in convolutional networks.

Findings

Z-Mask outperforms state-of-the-art methods in detection accuracy.

It improves overall network performance under attack.

It remains robust against defense-aware adversarial strategies.

Abstract

This work presents Z-Mask, a robust and effective strategy to improve the adversarial robustness of convolutional networks against physically-realizable adversarial attacks. The presented defense relies on specific Z-score analysis performed on the internal network features to detect and mask the pixels corresponding to adversarial objects in the input image. To this end, spatially contiguous activations are examined in shallow and deep layers to suggest potential adversarial regions. Such proposals are then aggregated through a multi-thresholding mechanism. The effectiveness of Z-Mask is evaluated with an extensive set of experiments carried out on models for both semantic segmentation and object detection. The evaluation is performed with both digital patches added to the input images and printed patches positioned in the real world. The obtained results confirm that Z-Mask outperforms the state-of-the-art methods in terms of both detection accuracy and overall performance of the networks under attack. Additional experiments showed that Z-Mask is also robust against possible defense-aware attacks.