SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems
This addresses security vulnerabilities in deep learning systems for applications like image recognition, though it is incremental as it builds on existing detection and interpretability techniques.
The paper tackles the problem of detecting localized universal attacks on neural networks, such as adversarial patches, by introducing SentiNet, a framework that achieves competitive performance metrics across three different attack types without requiring attack-specific training.
SentiNet is a novel detection framework for localized universal attacks on neural networks. These attacks restrict adversarial noise to contiguous portions of an image and are reusable with different images -- constraints that prove useful for generating physically-realizable attacks. Unlike most other works on adversarial detection, SentiNet does not require training a model or preknowledge of an attack prior to detection. Our approach is appealing due to the large number of possible mechanisms and attack-vectors that an attack-specific defense would have to consider. By leveraging the neural network's susceptibility to attacks and by using techniques from model interpretability and object detection as detection mechanisms, SentiNet turns a weakness of a model into a strength. We demonstrate the effectiveness of SentiNet on three different attacks -- i.e., data poisoning attacks, trojaned networks, and adversarial patches (including physically realizable attacks) -- and show that our defense is able to achieve very competitive performance metrics for all three threats. Finally, we show that SentiNet is robust against strong adaptive adversaries, who build adversarial patches that specifically target the components of SentiNet's architecture.