On Trace of PGD-Like Adversarial Attacks
This addresses security concerns in deep learning applications by providing a lightweight method for attack detection, though it is incremental as it builds on known linearity properties of networks.
The paper tackles the problem of detecting adversarial attacks by identifying a unique trace left by PGD-like attacks, showing that their Adversarial Response Characteristics (ARC) feature achieves effective detection and type recognition on CIFAR-10 and ImageNet datasets.
Adversarial attacks pose safety and security concerns to deep learning applications, but their characteristics are under-explored. Yet largely imperceptible, a strong trace could have been left by PGD-like attacks in an adversarial example. Recall that PGD-like attacks trigger the ``local linearity'' of a network, which implies different extents of linearity for benign or adversarial examples. Inspired by this, we construct an Adversarial Response Characteristics (ARC) feature to reflect the model's gradient consistency around the input to indicate the extent of linearity. Under certain conditions, it qualitatively shows a gradually varying pattern from benign example to adversarial example, as the latter leads to Sequel Attack Effect (SAE). To quantitatively evaluate the effectiveness of ARC, we conduct experiments on CIFAR-10 and ImageNet for attack detection and attack type recognition in a challenging setting. The results suggest that SAE is an effective and unique trace of PGD-like attacks reflected through the ARC feature. The ARC feature is intuitive, light-weighted, non-intrusive, and data-undemanding.