Deflecting Adversarial Attacks

Synced
Synced
Apr 18, 2020 · 3 min read
Image for post
Image for post

Content provided by Yao Qin, the first author of the paper Deflecting Adversarial Attacks.

There has been an ongoing cycle where stronger defenses against adversarial attacks are subsequently broken by a more advanced defense-aware attack. We present a new approach towards ending this cycle where we “deflect” adversarial attacks by causing the attacker to produce an input that semantically resembles the attack’s target class. To this end, we first propose a stronger defense based on Capsule Networks that combines three detection mechanisms to achieve state-of-the-art detection performance on both standard and defense-aware attacks. We then show that undetected attacks against our defense often perceptually resemble the adversarial target class by performing a human study where participants are asked to label images produced by the attack. These attack images can no longer be called “adversarial” because our network classifies them the same way as humans do.

Image for post
Image for post

What’s New:

  1. We introduce the notion of deflecting adversarial attacks, which presents a step towards ending the battle between attacks and defenses.
  2. We propose a new cycle-consistency loss which trains a CapsNet to encourage the winning-capsule reconstruction to closely match the class-conditional distribution and show that this can help detect and deflect adversarial attacks.
  3. We introduce two attack-agnostic detection methods based on the discrepancy between the winning-capsule reconstruction of the clean and adversarial inputs, and design a defense-aware attack to specifically attack our detection mechanisms.

Key Insights:

  1. We introduce a new approach that presents a step towards ending the battle between defenses and attacks by deflecting adversarial attacks.
  2. We propose a new cycle-consistency loss to encourage the winning capsule reconstruction of the CapsNet to closely match the class-conditional distribution. With three detection mechanisms, we are able to detect standard adversarial attacks with a low False Positive Rate on SVHN and CIFAR-10.
  3. To specifically attack our detection mechanisms, we propose a defense-aware attack and find that our model achieves drastically lower undetected rates for defense aware attacks compared to state-of-the-art methods.
  4. A large percentage of the undetected attacks are deflected by our model to resemble the adversarial target class, stop being adversarial any more. This is verified by a human study showing that 70% of the undetected black-box adversarial attacks are classified unanimously by humans as the target class on SVHN.

The paper Deflecting Adversarial Attacks is on arXiv.

Meet the authors Yao Qin, Nicholas Frosst, Colin Raffel, Garrison Cottrell and Geoffrey Hinton from the University of California, San Diego and Google Brain.

Share Your Research With Synced

Image for post
Image for post

Share My Research is Synced’s new column that welcomes scholars to share their own research breakthroughs with over 1.5M global AI enthusiasts. Beyond technological advances, Share My Research also calls for interesting stories behind the research and exciting research ideas. Share your research with us by clicking here.

We know you don’t want to miss any story. Subscribe to our popular Synced Global AI Weekly to get weekly AI updates.

Image for post
Image for post

Need a comprehensive review of the past, present and future of modern AI research development? Trends of AI Technology Development Report is out!

2018 Fortune Global 500 Public Company AI Adaptivity Report is out!
Purchase a Kindle-formatted report on Amazon.
Apply for Insight Partner Program to get a complimentary full PDF report.

Image for post
Image for post

We produce professional, authoritative, and…

Synced

Written by

AI Technology & Industry Review — syncedreview.com | Newsletter: http://bit.ly/2IYL6Y2 | Share My Research http://bit.ly/2TrUPMI | Twitter: @Synced_Global

SyncedReview

We produce professional, authoritative, and thought-provoking content relating to artificial intelligence, machine intelligence, emerging technologies and industrial insights.

Synced

Written by

AI Technology & Industry Review — syncedreview.com | Newsletter: http://bit.ly/2IYL6Y2 | Share My Research http://bit.ly/2TrUPMI | Twitter: @Synced_Global

SyncedReview

We produce professional, authoritative, and thought-provoking content relating to artificial intelligence, machine intelligence, emerging technologies and industrial insights.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store