On Trace of PGD-Like Adversarial Attacks

TL;DR

This paper introduces the ARC feature to detect PGD-like adversarial attacks by analyzing gradient consistency, demonstrating its effectiveness on CIFAR-10 and ImageNet for attack detection and recognition.

Contribution

It proposes a novel, lightweight ARC feature that captures model linearity traces left by PGD-like attacks, aiding in attack detection and classification.

Findings

ARC effectively detects PGD-like attacks

ARC distinguishes attack types with high accuracy

ARC is computationally efficient and easy to implement

Abstract

Adversarial attacks pose safety and security concerns to deep learning applications, but their characteristics are under-explored. Yet largely imperceptible, a strong trace could have been left by PGD-like attacks in an adversarial example. Recall that PGD-like attacks trigger the ``local linearity'' of a network, which implies different extents of linearity for benign or adversarial examples. Inspired by this, we construct an Adversarial Response Characteristics (ARC) feature to reflect the model's gradient consistency around the input to indicate the extent of linearity. Under certain conditions, it qualitatively shows a gradually varying pattern from benign example to adversarial example, as the latter leads to Sequel Attack Effect (SAE). To quantitatively evaluate the effectiveness of ARC, we conduct experiments on CIFAR-10 and ImageNet for attack detection and attack type recognition in a challenging setting. The results suggest that SAE is an effective and unique trace of PGD-like attacks reflected through the ARC feature. The ARC feature is intuitive, light-weighted, non-intrusive, and data-undemanding.