Deep learning has shown impressive performance on challenging perceptual tasks. However, researchers found deep neural networks vulnerable to adversarial examples. Since then, many methods are proposed to defend against or detect adversarial examples, but they are either attack-dependent or shown to be ineffective with new attacks.
We propose DAFAR, a feedback framework that allows deep learning models to detect adversarial examples in high accuracy and universality. DAFAR has a relatively simple structure, which contains a target network, a plug-in feedback network and an autoencoder-based detector. The key idea is to capture the high-level features extracted by the target network, and then reconstruct the input using the feedback network. These two parts constitute a feedback autoencoder. It transforms the imperceptible-perturbation attack on the target network directly into obvious reconstruction-error attack on the feedback autoencoder. Finally the detector gives an anomaly score and determines whether the input is adversarial according to the reconstruction errors. Experiments are conducted on MNIST and CIFAR-10 data-sets. Experimental results show that DAFAR is effective against popular and arguably most advanced attacks without losing performance on legitimate samples, with high accuracy and universality across attack methods and parameters.
pytorch, torchvision, pandas, scipy, imageio, matplotlib, pillow, cleverhans
MSTreAE
,对抗样本检测器结构命名为 MSTDtcAnom
。python3 Prototype-configure.py
,等待片刻程序便会在终端打印出阈值的数值。python3 Prototype-runtime.py -i INPUT -t THRESHOLD
,其中 INPUT
是输入的图片路径,THRESHOLD
是刚才计算出的阈值。等待片刻程序便会在终端打印出判断结果:对于正常样本,输出正确分类标签;对于对抗样本,输出警告信息。python3 Prototype-runtime.py -y TYPE -i INPUT -t THRESHOLD
,其中 TYPE
是待测试数据集类型,为 adversarial
或 normal
;INPUT
为待测试数据集路径(对抗样本数据集已经提前生成好,可以直接使用);THRESHOLD
是刚才计算出的阈值。等待片刻程序便会在终端打印出结果:对于对抗样本的检出率或,或对于正常样本的假阳性率及其分类准确率。