Countermeasures Against L0 Adversarial Examples Using Image Processing and Siamese Networks
Despite the great achievements made by neural networks on tasks such as image classification, they are brittle and vulnerable to adversarial examples (AEs). By adding adversarial noise to input images, adversarial examples can be crafted to mislead neural network based image classifiers. Among the various AE attacks, L0 AEs are frequently applied by recent notable real-world attacks. Our observations is that, while L0 corruptions modify as few pixels as possible, they tend to cause large-amplitude perturbations to the modified pixels.We consider this an inherent limitation of L0 AEs, and accordingly propose a novel AE detector. Given an image I, it is pre-processed to obtain another image I'. The main novelty is that we then convert the AE detection problem into an image comparison problem, taking I and I' as the input pair, using a Siamese network, which is known to be effective in comparison. The proposed Siamese network can automatically capture the discrepancy between I and I' to detect L0 noise. Moreover, novel defense methods that can rectify the classification with high probability are proposed. The evaluation shows high accuracies of the proposed techniques.
READ FULL TEXT