Protego: Detecting Adversarial Examples for Vision Transformers via Intrinsic Capabilities

TL;DR

Protego is a detection framework that leverages the intrinsic attention mechanisms of Vision Transformers to effectively identify adversarial examples, achieving high accuracy and outperforming existing methods.

Contribution

We propose Protego, a novel detection method utilizing Vision Transformer's attention capabilities to identify adversarial examples in computer vision tasks.

Findings

Detector's AUC scores exceed 0.95 for six attack methods

Protego outperforms existing adversarial detection methods

High effectiveness demonstrated in experiments

Abstract

Transformer models have excelled in natural language tasks, prompting the vision community to explore their implementation in computer vision problems. However, these models are still influenced by adversarial examples. In this paper, we investigate the attack capabilities of six common adversarial attacks on three pretrained ViT models to reveal the vulnerability of ViT models. To understand and analyse the bias in neural network decisions when the input is adversarial, we use two visualisation techniques that are attention rollout and grad attention rollout. To prevent ViT models from adversarial attack, we propose Protego, a detection framework that leverages the transformer intrinsic capabilities to detection adversarial examples of ViT models. Nonetheless, this is challenging due to a diversity of attack strategies that may be adopted by adversaries. Inspired by the attention mechanism, we know that the token of prediction contains all the information from the input sample. Additionally, the attention region for adversarial examples differs from that of normal examples. Given these points, we can train a detector that achieves superior performance than existing detection methods to identify adversarial examples. Our experiments have demonstrated the high effectiveness of our detection method. For these six adversarial attack methods, our detector's AUC scores all exceed 0.95. Protego may advance investigations in metaverse security.