Defending against Adversarial Patches using Dimensionality Reduction
Authors: 
Nandish Chattopadhyay, Amira Guesmi, Muhammad Abdullah Hanif, Bassem Ouni, Muhammad ShafiqueAuthors Info & Claims
Nandish Chattopadhyay, Amira Guesmi, Muhammad Abdullah Hanif, Bassem Ouni, Muhammad ShafiqueAuthors Info & ClaimsArticle No.: 222, Pages 1 - 6
Abstract
Adversarial patch-based attacks have shown to be a major deterrent towards the reliable use of machine learning models. These attacks involve the strategic modification of localized patches or specific image areas to deceive trained machine learning models. In this paper, we propose DefensiveDR, a practical mechanism using a dimensionality reduction technique to thwart such patch-based attacks. Our method involves projecting the sample images onto a lower-dimensional space while retaining essential information or variability for effective machine learning tasks. We perform this using two techniques, Singular Value Decomposition and t-Distributed Stochastic Neighbor Embedding. We experimentally tune the variability to be preserved for optimal performance as a hyper-parameter. This dimension reduction substantially mitigates adversarial perturbations, thereby enhancing the robustness of the given machine learning model. Our defense is model-agnostic and operates without assumptions about access to model decisions or model architectures, making it effective in both black-box and white-box settings. Furthermore, it maintains accuracy across various models and remains robust against several unseen patch-based attacks. The proposed defensive approach improves the accuracy from 38.8% (without defense) to 66.2% (with defense) when performing LaVAN and GoogleAp attacks, which supersedes that of the prominent state-of-the-art like LGS [19] (53.86%) and Jujutsu [7] (60%).
References
[1]
Charu C Aggarwal, Alexander Hinneburg, and Daniel A Keim. 2001. On the surprising behavior of distance metrics in high dimensional space. In International conference on database theory. Springer, 420--434.
[2]
Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. 2018. Synthesizing robust adversarial examples. In International conference on machine learning. PMLR, 284--293.
[3]
Kevin Beyer, Jonathan Goldstein, Raghu Ramakrishnan, and Uri Shaft. 1999. When is "nearest neighbor" meaningful?. In International conference on database theory. Springer, 217--235.
[4]
Nandish Chattopadhyay, Subhrojyoti Chatterjee, and Anupam Chattopadhyay. 2021. Robustness against adversarial attacks using dimensionality. In International Conference on Security, Privacy, and Applied Cryptography Engineering. Springer, 226--241.
[5]
Nandish Chattopadhyay, Anupam Chattopadhyay, Sourav Sen Gupta, and Michael Kasper. 2019. Curse of dimensionality in adversarial examples. In 2019 International Joint Conference on Neural Networks (IJCNN). IEEE, 1--8.
[6]
Nandish Chattopadhyay, Lionell Yip En Zhi, Bryan Tan Bing Xing, and Anupam Chattopadhyay. 2020. Spatially Correlated Patterns in Adversarial Images. arXiv preprint arXiv:2011.10794 (2020).
[7]
Zitao Chen, Pritam Dash, and Karthik Pattabiraman. 2023. Jujutsu: A Two-Stage Defense against Adversarial Patch Attacks on Deep Neural Networks. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (Melbourne, VIC, Australia) (ASIA CCS '23). Association for Computing Machinery, New York, NY, USA, 689--703.
[8]
Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. ImageNet: A large-scale hierarchical image database. In 2009 IEEE Conference on Computer Vision and Pattern Recognition. 248--255.
[9]
Simant Dube. 2018. High Dimensional Spaces, Deep Learning and Adversarial Examples. arXiv preprint arXiv:1801.00634 (2018).
[10]
Dan Karmon et al. 2018. LaVAN: Localized and Visible Adversarial Noise. In International Conference on Machine Learning.
[11]
Tom Brown et al. 2017. Adversarial Patch. https://arxiv.org/pdf/1712.09665.pdf
[12]
D Freedman, R Pisani, and R Purves. 1978. Statistics. 2007. ISBN: 0-393970-833 (1978).
[13]
Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S Schoenholz, Maithra Raghu, Martin Wattenberg, and Ian Goodfellow. 2018. Adversarial spheres. arXiv preprint arXiv:1801.02774 (2018).
[14]
Amira Guesmi, Muhammad Abdullah Hanif, Bassem Ouni, and Muhammad Shafique. 2023. Physical Adversarial Attacks for Camera-Based Smart Systems: Current Trends, Categorization, Applications, Research Challenges, and Future Outlook. IEEE Access 11 (2023), 109617--109668.
[15]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Deep Residual Learning for Image Recognition. arXiv:1512.03385 [cs.CV]
[16]
John Hopcroft and Ravi Kannan. 2014. Foundations of data science. (2014).
[17]
Woo Jae Kim, Yoonki Cho, Junsik Jung, and Sung-Eui Yoon. 2023. Feature Separation and Recalibration for Adversarial Robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 8183--8192.
[18]
Alexander Levine and Soheil Feizi. 2020. (De) Randomized smoothing for certifiable defense against patch attacks. Advances in Neural Information Processing Systems 33 (2020), 6465--6475.
[19]
Muzammal Naseer, Salman Khan, and Fatih Porikli. 2019. Local gradients smoothing: Defense against localized adversarial attacks. In 2019 IEEE Winter Conference on Applications of Computer Vision (WACV). IEEE, 1300--1307.
[20]
Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv:1409.1556 [cs.CV]
[21]
Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of machine learning research 9, 11 (2008).
[22]
Chong Xiang, Arjun Nitin Bhagoji, Vikash Sehwag, and Prateek Mittal. 2021. {PatchGuard}: A provably robust defense against adversarial patches via small receptive fields and masking. In 30th USENIX Security Symposium (USENIX Security 21). 2237--2254.
Index Terms
- Defending against Adversarial Patches using Dimensionality Reduction
Index terms have been assigned to the content through auto-classification.
Recommendations
Robustness Against Adversarial Attacks Using Dimensionality
Security, Privacy, and Applied Cryptography EngineeringA Novel Lightweight Defense Method Against Adversarial Patches-Based Attacks on Automated Vehicle Make and Model Recognition Systems
AbstractIn smart cities, connected and automated surveillance systems play an essential role in ensuring safety and security of life, property, critical infrastructures and cyber-physical systems. The recent trend of such surveillance systems has been to ...
Adversarial Patches-based Attacks on Automated Vehicle Make and Model Recognition Systems
Q2SWinet '20: Proceedings of the 16th ACM Symposium on QoS and Security for Wireless and Mobile NetworksThe recent works on automated vehicle make and model recognition (VMMR) have embraced the use of advanced deep learning models such as convolutional neural networks. In this work, we introduce an adversarial attack against such VMMR systems through ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
DAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,770 of 5,499 submissions, 32%
Upcoming Conference
DAC '25
- Sponsor:
- sigda
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 48Total Downloads
- Downloads (Last 12 months)48
- Downloads (Last 6 weeks)48
Reflects downloads up to 23 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in