Abstract
Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples. In this paper, we propose a one-off and attack-agnostic Feature Manipulation (FM)-Defense to detect and purify adversarial examples in an interpretable and efficient manner. The intuition is that the classification result of a normal image is generally resistant to non-significant intrinsic feature changes, e.g., varying thickness of handwritten digits. In contrast, adversarial examples are sensitive to such changes since the perturbation lacks transferability. To enable manipulation of features, a Combo-variational autoencoder is applied to learn disentangled latent codes that reveal semantic features. The resistance to classification change over the morphs, derived by varying and reconstructing latent codes, is used to detect suspicious inputs. Further, Combo-VAE is enhanced to purify the adversarial examples with good quality by considering class-shared and class-unique features. We empirically demonstrate the effectiveness of detection and the quality of purified instances. Our experiments on three datasets show that FM-Defense can detect nearly <formula><tex>$100\%$</tex></formula> of adversarial examples produced by different state-of-the-art adversarial attacks. It achieves more than <formula><tex>$99\%$</tex></formula> overall purification accuracy on the suspicious instances that close the manifold of clean examples.
Original language | English |
---|---|
Pages (from-to) | 3184-3197 |
Number of pages | 10 |
Journal | IEEE Transactions on Services Computing |
Volume | 15 |
Issue number | 6 |
DOIs | |
Publication status | Published - 1 Nov 2022 |
Keywords
- Adversarial attacks
- artificial intelligence
- Decoding
- defense
- Faces
- Feature extraction
- Image reconstruction
- latent representation
- Manifolds
- Resistance
- security
- Semantics