Prediction Inconsistency Helps Achieve Generalizable Detection of Adversarial Examples

TL;DR

This paper introduces Prediction Inconsistency Detector (PID), a novel, lightweight framework that leverages prediction differences between models to robustly detect adversarial examples across various training strategies and attack settings.

Contribution

The paper proposes PID, a generalizable detection method based on prediction inconsistency, which outperforms existing approaches on multiple datasets and attack scenarios.

Findings

PID achieves over 99% AUC on CIFAR-10 with both training types.

PID outperforms state-of-the-art methods by up to 25% in AUC.

Effective across white-box, black-box, and mixed attacks.

Abstract

Adversarial detection protects models from adversarial attacks by refusing suspicious test samples. However, current detection methods often suffer from weak generalization: their effectiveness tends to degrade significantly when applied to adversarially trained models rather than naturally trained ones, and they generally struggle to achieve consistent effectiveness across both white-box and black-box attack settings. In this work, we observe that an auxiliary model, differing from the primary model in training strategy or model architecture, tends to assign low confidence to the primary model's predictions on adversarial examples (AEs), while preserving high confidence on normal examples (NEs). Based on this discovery, we propose Prediction Inconsistency Detector (PID), a lightweight and generalizable detection framework to distinguish AEs from NEs by capturing the prediction inconsistency between the primal and auxiliary models. PID is compatible with both naturally and adversarially trained primal models and outperforms four detection methods across 3 white-box, 3 black-box, and 1 mixed adversarial attacks. Specifically, PID achieves average AUC scores of 99.29\% and 99.30\% on CIFAR-10 when the primal model is naturally and adversarially trained, respectively, and 98.31% and 96.81% on ImageNet under the same conditions, outperforming existing SOTAs by 4.70%$\sim$25.46%.