Defending From Physically-Realizable Adversarial Attacks Through Internal Over-Activation Analysis
This addresses the problem of adversarial attacks in real-world scenarios for computer vision systems, representing an incremental improvement over existing defenses.
This paper tackles the problem of defending convolutional networks against physically-realizable adversarial attacks by proposing Z-Mask, a method that uses Z-score analysis on internal features to detect and mask adversarial pixels. The results show that Z-Mask outperforms state-of-the-art methods in detection accuracy and network performance under attack, with additional robustness against defense-aware attacks.
This work presents Z-Mask, a robust and effective strategy to improve the adversarial robustness of convolutional networks against physically-realizable adversarial attacks. The presented defense relies on specific Z-score analysis performed on the internal network features to detect and mask the pixels corresponding to adversarial objects in the input image. To this end, spatially contiguous activations are examined in shallow and deep layers to suggest potential adversarial regions. Such proposals are then aggregated through a multi-thresholding mechanism. The effectiveness of Z-Mask is evaluated with an extensive set of experiments carried out on models for both semantic segmentation and object detection. The evaluation is performed with both digital patches added to the input images and printed patches positioned in the real world. The obtained results confirm that Z-Mask outperforms the state-of-the-art methods in terms of both detection accuracy and overall performance of the networks under attack. Additional experiments showed that Z-Mask is also robust against possible defense-aware attacks.