Spatial-Frequency Discriminability for Revealing Adversarial Perturbations

TL;DR

This paper introduces a novel spatial-frequency discriminative detector using Krawtchouk decomposition to effectively identify adversarial perturbations in deep neural networks, enhancing robustness against adaptive attacks.

Contribution

It proposes a Krawtchouk-based spatial-frequency decomposition method that improves adversarial pattern detection and resists defense-aware attacks, outperforming existing approaches.

Findings

Demonstrates improved detection accuracy on multiple models and datasets.

Shows increased resistance to defense-aware adversarial attacks.

Provides theoretical analysis confirming the detector's effectiveness.

Abstract

The vulnerability of deep neural networks to adversarial perturbations has been widely perceived in the computer vision community. From a security perspective, it poses a critical risk for modern vision systems, e.g., the popular Deep Learning as a Service (DLaaS) frameworks. For protecting deep models while not modifying them, current algorithms typically detect adversarial patterns through discriminative decomposition for natural and adversarial data. However, these decompositions are either biased towards frequency resolution or spatial resolution, thus failing to capture adversarial patterns comprehensively. Also, when the detector relies on few fixed features, it is practical for an adversary to fool the model while evading the detector (i.e., defense-aware attack). Motivated by such facts, we propose a discriminative detector relying on a spatial-frequency Krawtchouk decomposition. It expands the above works from two aspects: 1) the introduced Krawtchouk basis provides better spatial-frequency discriminability, capturing the differences between natural and adversarial data comprehensively in both spatial and frequency distributions, w.r.t. the common trigonometric or wavelet basis; 2) the extensive features formed by the Krawtchouk decomposition allows for adaptive feature selection and secrecy mechanism, significantly increasing the difficulty of the defense-aware attack, w.r.t. the detector with few fixed features. Theoretical and numerical analyses demonstrate the uniqueness and usefulness of our detector, exhibiting competitive scores on several deep models and image sets against a variety of adversarial attacks.