AED-PADA:Improving Generalizability of Adversarial Example Detection via Principal Adversarial Domain Adaptation
This work addresses a critical problem in adversarial defense for machine learning security by enhancing detection generalizability, though it is incremental as it builds on existing domain adaptation techniques.
The paper tackles the poor generalization of adversarial example detection methods by proposing AED-PADA, which uses principal adversarial domains and multi-source unsupervised domain adaptation to improve detection across unseen attacks, achieving superior performance in challenging scenarios with minimal perturbation constraints.
Adversarial example detection, which can be conveniently applied in many scenarios, is important in the area of adversarial defense. Unfortunately, existing detection methods suffer from poor generalization performance, because their training process usually relies on the examples generated from a single known adversarial attack and there exists a large discrepancy between the training and unseen testing adversarial examples. To address this issue, we propose a novel method, named Adversarial Example Detection via Principal Adversarial Domain Adaptation (AED-PADA). Specifically, our approach identifies the Principal Adversarial Domains (PADs), i.e., a combination of features of the adversarial examples generated by different attacks, which possesses a large portion of the entire adversarial feature space. Subsequently, we pioneer to exploit Multi-source Unsupervised Domain Adaptation in adversarial example detection, with PADs as the source domains. Experimental results demonstrate the superior generalization ability of our proposed AED-PADA. Note that this superiority is particularly achieved in challenging scenarios characterized by employing the minimal magnitude constraint for the perturbations.