HOLMES: to Detect Adversarial Examples with Multiple Detectors

TL;DR

HOLMES is a lightweight, hierarchical system that detects adversarial examples by analyzing DNN output logits, achieving high accuracy and low false positives across multiple attack types without modifying the original models.

Contribution

The paper introduces HOLMES, a novel external detection system using multiple logit-based detectors, enhancing robustness against unseen adversarial examples without altering DNNs.

Findings

HOLMES achieves higher detection accuracy than single detectors.

HOLMES maintains low false positive rates across various attacks.

HOLMES is compatible with all learning models and external APIs.

Abstract

Deep neural networks (DNNs) can easily be cheated by some imperceptible but purposeful noise added to images, and erroneously classify them. Previous defensive work mostly focused on retraining the models or detecting the noise, but has either shown limited success rates or been attacked by new adversarial examples. Instead of focusing on adversarial images or the interior of DNN models, we observed that adversarial examples generated by different algorithms can be identified based on the output of DNNs (logits). Logit can serve as an exterior feature to train detectors. Then, we propose HOLMES (Hierarchically Organized Light-weight Multiple dEtector System) to reinforce DNNs by detecting potential adversarial examples to minimize the threats they may bring in practical. HOLMES is able to distinguish \textit{unseen} adversarial examples from multiple attacks with high accuracy and low false positive rates than single detector systems even in an adaptive model. To ensure the diversity and randomness of detectors in HOLMES, we use two methods: training dedicated detectors for each label and training detectors with top-k logits. Our effective and inexpensive strategies neither modify original DNN models nor require its internal parameters. HOLMES is not only compatible with all kinds of learning models (even only with external APIs), but also complementary to other defenses to achieve higher detection rates (may also fully protect the system against various adversarial examples).