Details

Autor(en) / Beteiligte

• Lu, Zhiping
• Hu, Hongchao
• Huo, Shumin
• Li, Shuyi

Titel

MR2D: Multiple Random Masking Reconstruction Adversarial Detector

Ist Teil von

• 2022 10th International Conference on Information Systems and Computing Technology (ISCTech), 2022, p.61-67

Ort / Verlag

IEEE

Erscheinungsjahr

2022

Quelle

IEEE Electronic Library Online

Beschreibungen/Notizen

• To perceive and prevent adversarial examples (AEs) from fooling deep neural networks, many adversarial detectors learn various distributions to distinguish them from benign ones. However, those methods are limited by the target model structures and prior experiences. To solve the above problems, we proposed an adversarial detector named MR2D (Multiple, Random Masking, Reconstruction Adversarial Detector) with randomness and redundancy mechanisms. The core idea of MR2D is to judge multiple randomly masked and reconstructed input images with detection strategies. Based on the Dimpled Manifold Model theory, the more adversarial perturbations are masked, the more reconstructed patches will be cast on the image manifold, and the higher possibility of predicting correct labels. After several times repeating the process, the predictions of reconstructed AEs may be different, while benign ones usually are consistent. Through well-designed detection strategies, the MR2D can quickly distinguish AEs by three-step judgments. On the CIFAR-10 dataset, the experimental results show that the MR2D achieves better overall performance under the metrics of AUROC, AUPR, and ACC, when facing eight classical types of AEs each with three different attack strengths, than other adversarial detectors. Moreover, the MR2D can perform as a plugin to enhance the adversarial robustness of other methods, such as combining it with multiple denoise techniques.