ODDR: Outlier Detection & Dimension Reduction Based Defense Against Adversarial Patches

TL;DR

ODDR is a versatile, three-stage defense method that detects and neutralizes patch-based adversarial attacks in images by identifying outliers and reducing their impact, significantly improving model robustness across tasks.

Contribution

This paper introduces ODDR, a novel, model-agnostic framework combining outlier detection and dimension reduction to defend against patch-based adversarial attacks.

Findings

ODDR improves accuracy from 39.26% to 79.1% under attack.

Outperforms state-of-the-art defenses like LGS, Jujutsu, and Jedi.

Effective across various tasks and architectures.

Abstract

Adversarial attacks present a significant challenge to the dependable deployment of machine learning models, with patch-based attacks being particularly potent. These attacks introduce adversarial perturbations in localized regions of an image, deceiving even well-trained models. In this paper, we propose Outlier Detection and Dimension Reduction (ODDR), a comprehensive defense strategy engineered to counteract patch-based adversarial attacks through advanced statistical methodologies. Our approach is based on the observation that input features corresponding to adversarial patches-whether naturalistic or synthetic-deviate from the intrinsic distribution of the remaining image data and can thus be identified as outliers. ODDR operates through a robust three-stage pipeline: Fragmentation, Segregation, and Neutralization. This model-agnostic framework is versatile, offering protection across various tasks, including image classification, object detection, and depth estimation, and is proved effective in both CNN-based and Transformer-based architectures. In the Fragmentation stage, image samples are divided into smaller segments, preparing them for the Segregation stage, where advanced outlier detection techniques isolate anomalous features linked to adversarial perturbations. The Neutralization stage then applies dimension reduction techniques to these outliers, effectively neutralizing the adversarial impact while preserving critical information for the machine learning task. Extensive evaluation on benchmark datasets against state-of-the-art adversarial patches underscores the efficacy of ODDR. Our method enhances model accuracy from 39.26% to 79.1% under the GoogleAp attack, outperforming leading defenses such as LGS (53.86%), Jujutsu (60%), and Jedi (64.34%).