Detecting adversarial examples by additional evidence from noise domain

Gao, S; Yu, S; Wu, L; Yao, S; Zhou, X

Detecting adversarial examples by additional evidence from noise domain

Gao, S Yu, S

Wu, L Yao, S Zhou, X

Permalink

Publisher:: WILEY
Publication Type:: Journal Article
Citation:: IET Image Processing, 2022, 16, (2), pp. 378-392
Issue Date:: 2022-02-01

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download Published versionAdobe PDF (2.38 MB)

View on publisher's site

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Gao, S
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.contributor.author	Wu, L
dc.contributor.author	Yao, S
dc.contributor.author	Zhou, X
dc.date.accessioned	2023-01-24T03:32:56Z
dc.date.available	2023-01-24T03:32:56Z
dc.date.issued	2022-02-01
dc.identifier.citation	IET Image Processing, 2022, 16, (2), pp. 378-392
dc.identifier.issn	1751-9659
dc.identifier.issn	1751-9667
dc.identifier.uri	http://hdl.handle.net/10453/165393
dc.description.abstract	Deep neural networks are widely adopted powerful tools for perceptual tasks. However, recent research indicated that they are easily fooled by adversarial examples, which are produced by adding imperceptible adversarial perturbations to clean examples. Here the steganalysis rich model (SRM) is utilized to generate noise feature maps, and they are combined with RGB images to discover the difference between adversarial examples and clean examples. In particular, a two-stream pseudo-siamese network that fuses the subtle difference in RGB images with the noise inconsistency in noise features is proposed. The proposed method has strong detection capability and transferability, and can be combined with any model without modifying its architecture or training procedure. The extensive empirical experiments show that, compared with the state-of-the-art detection methods, the proposed approach achieves excellent performance in distinguishing adversarial samples generated by popular attack methods on different real datasets. Moreover, this method has good generalization, it trained by a specific adversary can defend against other adversaries effectively.
dc.language	English
dc.publisher	WILEY
dc.relation.ispartof	IET Image Processing
dc.relation.isbasedon	10.1049/ipr2.12354
dc.rights	info:eu-repo/semantics/openAccess
dc.subject	0801 Artificial Intelligence and Image Processing, 0906 Electrical and Electronic Engineering
dc.subject.classification	Artificial Intelligence & Image Processing
dc.title	Detecting adversarial examples by additional evidence from noise domain
dc.type	Journal Article
utslib.citation.volume	16
utslib.for	0801 Artificial Intelligence and Image Processing
utslib.for	0906 Electrical and Electronic Engineering
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	open_access	*
dc.date.updated	2023-01-24T03:32:52Z
pubs.issue	2
pubs.publication-status	Published
pubs.volume	16
utslib.citation.issue	2

Abstract:

Deep neural networks are widely adopted powerful tools for perceptual tasks. However, recent research indicated that they are easily fooled by adversarial examples, which are produced by adding imperceptible adversarial perturbations to clean examples. Here the steganalysis rich model (SRM) is utilized to generate noise feature maps, and they are combined with RGB images to discover the difference between adversarial examples and clean examples. In particular, a two-stream pseudo-siamese network that fuses the subtle difference in RGB images with the noise inconsistency in noise features is proposed. The proposed method has strong detection capability and transferability, and can be combined with any model without modifying its architecture or training procedure. The extensive empirical experiments show that, compared with the state-of-the-art detection methods, the proposed approach achieves excellent performance in distinguishing adversarial samples generated by popular attack methods on different real datasets. Moreover, this method has good generalization, it trained by a specific adversary can defend against other adversaries effectively.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/165393