A Mimetic Detector for Adversarial Image Perturbations
For practitioners needing a lightweight, black-box defense against adversarial attacks, this detector offers a computationally efficient alternative to retraining or surrogate models, though validation is limited to a single image.
The paper proposes a single-shot, training-free detector for adversarial image perturbations that exploits high-frequency noise patterns in $\ell^\infty$-bounded attacks. It achieves a clean-vs-adversarial separation ratio of 3.55× to 4.19× on a standard test image.
Adversarial attacks fool deep image classifiers by adding tiny, almost invisible noise patterns to a clean image. The standard $\ell^\infty$-bounded attacks (FGSM, PGD, and the $\ell^\infty$ variant of Carlini--Wagner) produce high-frequency, near-random sign patterns at the pixel level: nearly invisible in $\ell^2$, but carrying disproportionate gradient energy. We exploit this with a single-shot, training-free detector using the high-order Corbino--Castillo mimetic operators from the open-source MOLE library. No retraining, no surrogate classifier, no access to the network under attack: the verdict is a property of the input alone, computed in $O(HW)$ time. We validate the detector on the standard \texttt{peppers} test image at the canonical $\ell^\infty$ budget $\varepsilon = 16/255$ and observe a clean-vs-adversarial separation that grows monotonically from $3.55\times$ at order $k=2$ to $4.19\times$ at $k=6$.