Dual Graphs of Polyhedral Decompositions for the Detection of Adversarial Attacks

TL;DR

This paper introduces a novel method using dual graphs of polyhedral decompositions induced by ReLU networks to detect adversarial attacks on digital images, leveraging ReLU activation patterns as discriminators.

Contribution

It proposes a new approach that encodes ReLU activation patterns as bit vectors and uses dual graph structures to identify adversarial images, extending to various architectures and datasets.

Findings

ReLU bit vectors differ between adversarial and non-adversarial images.

Ensemble voting on discriminative ReLU bits improves adversarial detection.

Method generalizes beyond ResNet-50 and ReLU to other models and datasets.

Abstract

Previous work has shown that a neural network with the rectified linear unit (ReLU) activation function leads to a convex polyhedral decomposition of the input space. These decompositions can be represented by a dual graph with vertices corresponding to polyhedra and edges corresponding to polyhedra sharing a facet, which is a subgraph of a Hamming graph. This paper illustrates how one can utilize the dual graph to detect and analyze adversarial attacks in the context of digital images. When an image passes through a network containing ReLU nodes, the firing or non-firing at a node can be encoded as a bit ($1$ for ReLU activation, $0$ for ReLU non-activation). The sequence of all bit activations identifies the image with a bit vector, which identifies it with a polyhedron in the decomposition and, in turn, identifies it with a vertex in the dual graph. We identify ReLU bits that are discriminators between non-adversarial and adversarial images and examine how well collections of these discriminators can ensemble vote to build an adversarial image detector. Specifically, we examine the similarities and differences of ReLU bit vectors for adversarial images, and their non-adversarial counterparts, using a pre-trained ResNet-50 architecture. While this paper focuses on adversarial digital images, ResNet-50 architecture, and the ReLU activation function, our methods extend to other network architectures, activation functions, and types of datasets.