AED-PADA:Improving Generalizability of Adversarial Example Detection via Principal Adversarial Domain Adaptation

TL;DR

This paper introduces AED-PADA, a novel adversarial example detection method that leverages principal adversarial domain adaptation to improve generalization across different attack types, especially under minimal perturbation constraints.

Contribution

It proposes identifying principal adversarial domains and applying multi-source unsupervised domain adaptation to enhance detection generalization.

Findings

Outperforms existing methods in generalization to unseen attacks.

Effective under minimal perturbation constraints.

Demonstrates superior robustness in challenging scenarios.

Abstract

Adversarial example detection, which can be conveniently applied in many scenarios, is important in the area of adversarial defense. Unfortunately, existing detection methods suffer from poor generalization performance, because their training process usually relies on the examples generated from a single known adversarial attack and there exists a large discrepancy between the training and unseen testing adversarial examples. To address this issue, we propose a novel method, named Adversarial Example Detection via Principal Adversarial Domain Adaptation (AED-PADA). Specifically, our approach identifies the Principal Adversarial Domains (PADs), i.e., a combination of features of the adversarial examples generated by different attacks, which possesses a large portion of the entire adversarial feature space. Subsequently, we pioneer to exploit Multi-source Unsupervised Domain Adaptation in adversarial example detection, with PADs as the source domains. Experimental results demonstrate the superior generalization ability of our proposed AED-PADA. Note that this superiority is particularly achieved in challenging scenarios characterized by employing the minimal magnitude constraint for the perturbations.