A Mimetic Detector for Adversarial Image Perturbations

TL;DR

This paper introduces a training-free, high-order operator-based detector for adversarial image perturbations that effectively distinguishes between clean and adversarial images without retraining or surrogate models.

Contribution

The authors propose a novel, input-only detector using high-order Corbino--Castillo mimetic operators that operates efficiently and does not require retraining or access to the attacked network.

Findings

The detector achieves a separation of 3.55× at order 2 and 4.62× at order 8.

It works in $O(HW)$ time, making it computationally efficient.

Validated on the peppers test image with standard $ ext{l}^ ext{o}$-bounded attacks.

Abstract

Adversarial attacks fool deep image classifiers by adding tiny, almost invisible noise patterns to a clean image. The standard $\ell^\infty$-bounded attacks (FGSM, PGD, and the $\ell^\infty$ variant of Carlini--Wagner) produce high-frequency, near-random sign patterns at the pixel level: nearly invisible in $\ell^2$, but carrying disproportionate gradient energy. We exploit this with a single-shot, training-free detector using the high-order Corbino--Castillo mimetic operators from the open-source MOLE library. No retraining, no surrogate classifier, no access to the network under attack: the verdict is a property of the input alone, computed in $O(HW)$ time. We validate the detector on the standard \texttt{peppers} test image at the canonical $\ell^\infty$ budget $\varepsilon = 16/255$ and observe a clean-vs-adversarial separation that grows monotonically from $3.55\times$ at order $k=2$ to $4.62\times$ at $k=8$.