Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ViTGuard: Attention-aware Detection against Adversarial Examples for Vision Transformer

Shihua Sun, Kenechukwu Nwodo, Shridatt Sugrim, Angelos Stavrou, Haining Wang

TL;DR

ViTGuard is proposed as a general detection method for defending ViT models against adversarial attacks, including typical attacks where perturbations spread over the entire input (Lp norm attacks) and patch attacks, and its robustness against adaptive attacks for evasion is demonstrated.

Abstract

The use of transformers for vision tasks has challenged the traditional dominant role of convolutional neural networks (CNN) in computer vision (CV). For image classification tasks, Vision Transformer (ViT) effectively establishes spatial relationships between patches within images, directing attention to important areas for accurate predictions. However, similar to CNNs, ViTs are vulnerable to adversarial attacks, which mislead the image classifier into making incorrect decisions on images with carefully designed perturbations. Moreover, adversarial patch attacks, which introduce arbitrary perturbations within a small area, pose a more serious threat to ViTs. Even worse, traditional detection methods, originally designed for CNN models, are impractical or suffer significant performance degradation when applied to ViTs, and they generally overlook patch attacks. In this paper, we propose ViTGuard as a general detection method for defending ViT models against adversarial attacks, including typical attacks where perturbations spread over the entire input and patch attacks. ViTGuard uses a Masked Autoencoder (MAE) model to recover randomly masked patches from the unmasked regions, providing a flexible image reconstruction strategy. Then, threshold-based detectors leverage distinctive ViT features, including attention maps and classification (CLS) token representations, to distinguish between normal and adversarial samples. The MAE model does not involve any adversarial samples during training, ensuring the effectiveness of our detectors against unseen attacks. ViTGuard is compared with seven existing detection methods under nine attacks across three datasets. The evaluation results show the superiority of ViTGuard over existing detectors. Finally, considering the potential detection evasion, we further demonstrate ViTGuard's robustness against adaptive attacks for evasion.

ViTGuard: Attention-aware Detection against Adversarial Examples for Vision Transformer

TL;DR

ViTGuard is proposed as a general detection method for defending ViT models against adversarial attacks, including typical attacks where perturbations spread over the entire input (Lp norm attacks) and patch attacks, and its robustness against adaptive attacks for evasion is demonstrated.

Abstract

The use of transformers for vision tasks has challenged the traditional dominant role of convolutional neural networks (CNN) in computer vision (CV). For image classification tasks, Vision Transformer (ViT) effectively establishes spatial relationships between patches within images, directing attention to important areas for accurate predictions. However, similar to CNNs, ViTs are vulnerable to adversarial attacks, which mislead the image classifier into making incorrect decisions on images with carefully designed perturbations. Moreover, adversarial patch attacks, which introduce arbitrary perturbations within a small area, pose a more serious threat to ViTs. Even worse, traditional detection methods, originally designed for CNN models, are impractical or suffer significant performance degradation when applied to ViTs, and they generally overlook patch attacks. In this paper, we propose ViTGuard as a general detection method for defending ViT models against adversarial attacks, including typical attacks where perturbations spread over the entire input and patch attacks. ViTGuard uses a Masked Autoencoder (MAE) model to recover randomly masked patches from the unmasked regions, providing a flexible image reconstruction strategy. Then, threshold-based detectors leverage distinctive ViT features, including attention maps and classification (CLS) token representations, to distinguish between normal and adversarial samples. The MAE model does not involve any adversarial samples during training, ensuring the effectiveness of our detectors against unseen attacks. ViTGuard is compared with seven existing detection methods under nine attacks across three datasets. The evaluation results show the superiority of ViTGuard over existing detectors. Finally, considering the potential detection evasion, we further demonstrate ViTGuard's robustness against adaptive attacks for evasion.
Paper Structure (41 sections, 5 equations, 13 figures, 10 tables)

This paper contains 41 sections, 5 equations, 13 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background & Related Works
  3. Vision Transformer
  4. Adversarial Attacks on CNNs
  5. Adversarial Attack on ViTs
  6. Existing Detection and Defense Methods for CNNs
  7. Existing Detection and Defense Methods for ViTs
  8. Threat Model and ViT Robustness
  9. Framework
  10. Input Reconstruction
  11. Detector I based on Attention (ViTGuard-I)
  12. Detector II based on CLS Representation (ViTGuard-II)
  13. Joint Detectors
  14. Evaluation
  15. Experimental Setup
  16. ...and 26 more sections

Figures (13)

  • Figure 1: Vision Transformer architecture: (a) the main structure of ViT, (b) the transformer block, and (c) the self-attention mechanism.
  • Figure 2: The workflow of ViTGuard. $x$ and $x^\prime$ represent the original and reconstructed inputs, respectively. ViTGuard is only applied in the test phase.
  • Figure 3: The architecture and workflow of MAE. Note that the encoder and decoder are transformer-based architectures, and the decoder's input includes both unmasked tokens and learnable masked tokens to preserve location information.
  • Figure 4: Performance comparison between ViTGaurd and ARMRO under patch attacks against ViT-16 models. 'w/o Det.' represents attacks' fooling rates without any detection.
  • Figure 5: The impact of choosing different transformer blocks on AUC scores for the ViT-16 model with the Tiny-ImageNet dataset.
  • ...and 8 more figures