CVPR 2020 Universal Adversarial Attacks Image agnostic and - - PowerPoint PPT Presentation

cvpr 2020 universal adversarial attacks
SMART_READER_LITE
LIVE PREVIEW

CVPR 2020 Universal Adversarial Attacks Image agnostic and - - PowerPoint PPT Presentation

Oct 11, 2022 513 likes •593 views

1 1,4 2,3 2 3 4 1 CVPR 2020 Universal Adversarial Attacks Image agnostic and transferable across networks Adversarial No defense: Baseline DNN perturbation Input image Classification Feature extraction dense Perturbed image

slide-1
SLIDE 1

CVPR 2020

1 1 2,3 2 3 1,4 4

slide-2
SLIDE 2

Perturbed image

Universal Adversarial Attacks

  • Image agnostic and transferable across networks

Adversarial perturbation Baseline DNN Vulture 33% Input image Baseline DNN Bald eagle 99% dense Predicted labels

Feature extraction

RGB image Conv-1 feature maps Conv-2 feature maps Conv-3 feature maps Classification

No defense: Baseline DNN

dense

slide-3
SLIDE 3

Frozen parameters from baseline DNN

Defending against Universal Adversarial Attacks

  • Selective feature regeneration effectively restores robustness

Regenerated features

Feature Regeneration Unit

Ranked most susceptible features Ranked least susceptible features

Feature concat Feature Regeneration Unit Feature concat

Proposed defense: Baseline DNN with resilient feature regeneration

Adversarial perturbation Input image Perturbed image Baseline DNN Baseline DNN Bald eagle 99% Proposed Defense Proposed Defense Bald eagle 99%

slide-4
SLIDE 4

dense dense Predicted labels

Feature extraction Classification Sample Baseline DNN

Ranking CNN Filters Based on Noise Susceptibility

  • Conv. filter with weights

Feature map

  • Max perturbation level

induced in feature map

  • norm of the filter weight ( )

Suppressing perturbations in ranked filters’ output maps

Percentage of suppressed maps in conv-1

We show:

slide-5
SLIDE 5

Robustness to Unseen Universal Adversarial Attacks

  • Defense trained on only UAP noise samples

UAP NAG GAP sPGD Clean map Clean image

Perturbed feature map Regenerated resilient feature map

slide-6
SLIDE 6

Defending Against Universal Attacks Through Selective Feature Regeneration

Summary:

  • Novel - norm measure identifies and ranks adversarially susceptible feature maps
  • Selective regeneration of only the most vulnerable feature maps restores robustness

Robustness to image-agnostic noise: Robustness to unseen universal attacks:

Code: https://github.com/tsborkar/Selective-feature-regeneration

NAG GAP sPGD PD: croquet ball 77% FD: croquet ball 10% HGD: mixing bowl 30% Ours: ice cream 50% Ours: ice cream 83% Ours: ice cream 66% Perturbed image Adversarial noise Predictions Adversarial perturbation Input image Perturbed image Baseline DNN Baseline DNN Bald eagle 99% Bald eagle 99% Proposed Defense Proposed Defense