Jedi: Entropy-based Localization and Removal of Adversarial Patches

TL;DR

Jedi is a novel entropy-based defense method that accurately localizes and removes adversarial patches in images, effectively protecting models against realistic physical attacks without requiring retraining.

Contribution

Jedi introduces a new entropy analysis approach combined with autoencoder-based patch completion for resilient adversarial patch detection and removal.

Findings

Detects 90% of adversarial patches on average

Recovers up to 94% of attacked images

Outperforms existing defenses like LGS and Jujutsu

Abstract

Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).