cvpr 2020 universal adversarial attacks
play

CVPR 2020 Universal Adversarial Attacks Image agnostic and - PowerPoint PPT Presentation

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image


  1. 1 1,4 2,3 2 3 4 1 CVPR 2020

  2. Universal Adversarial Attacks • Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image dense Conv-3 feature Conv-2 feature Predicted Conv-1 feature RGB image maps maps labels maps Baseline Baseline DNN DNN Vulture 33% Bald eagle 99%

  3. Defending against Universal Adversarial Attacks • Selective feature regeneration effectively restores robustness Adversarial Proposed defense: Baseline DNN with resilient feature regeneration perturbation Input image Ranked most susceptible features Regenerated features Feature Feature Regeneration Regeneration Unit Unit Perturbed Feature image Feature concat concat Ranked least susceptible features Frozen parameters from baseline DNN Proposed Baseline Proposed Baseline Defense Defense DNN DNN Bald eagle 99% Bald eagle 99%

  4. Ranking CNN Filters Based on Noise Susceptibility Suppressing perturbations in ranked Sample Baseline DNN filters’ output maps Classification Feature extraction Percentage of suppressed maps in conv-1 dense dense Predicted Feature map labels Conv. filter with weights We show: • Max perturbation level -norm of the filter weight ( ) induced in feature map

  5. Robustness to Unseen Universal Adversarial Attacks • Defense trained on only UAP noise samples UAP NAG GAP sPGD Perturbed feature map Clean image Clean map Regenerated resilient feature map

  6. Defending Against Universal Attacks Through Selective Feature Regeneration Robustness to image-agnostic noise: Robustness to unseen universal attacks: NAG GAP sPGD Adversarial Input image perturbation Perturbed image Adversarial Perturbed noise image PD: croquet ball 77% FD: croquet ball 10% HGD: mixing bowl 30% Predictions Ours : ice cream 50% Ours : ice cream 83% Ours : ice cream 66% Summary: Proposed Baseline Proposed Baseline • Novel - norm measure identifies and ranks adversarially susceptible feature maps Defense Defense DNN DNN • Selective regeneration of only the most vulnerable feature maps restores robustness Bald eagle 99% Bald eagle 99% Code: https://github.com/tsborkar/Selective-feature-regeneration

Recommend


More recommend