Table of Contents
Fetching ...

A Few Large Shifts: Layer-Inconsistency Based Minimal Overhead Adversarial Example Detection

Sanggeon Yun, Ryozo Masukawa, Hyunwoo Oh, Nathaniel D. Bastian, Mohsen Imani

TL;DR

The paper tackles adversarial detection by proposing a self-contained, plug-in detector that relies on layer-wise inconsistencies within the target model. It introduces the A Few Large Shifts Assumption and two probes, Recovery Testing (RT) and Logit-layer Testing (LT), fused into the RLT score and calibrated using benign data. Empirical results on CIFAR-10/100 and ImageNet show state-of-the-art detection performance under standard and adaptive attacks with minimal overhead, and a formal system-level threshold analysis provides guaranteed lower bounds on accuracy. The approach is architecture-agnostic, scalable, and readily deployable, offering a practical defense that does not rely on external models or adversarial data for training.

Abstract

Deep neural networks (DNNs) are highly susceptible to adversarial examples--subtle, imperceptible perturbations that can lead to incorrect predictions. While detection-based defenses offer a practical alternative to adversarial training, many existing methods depend on external models, complex architectures, or adversarial data, limiting their efficiency and generalizability. We introduce a lightweight, plug-in detection framework that leverages internal layer-wise inconsistencies within the target model itself, requiring only benign data for calibration. Our approach is grounded in the A Few Large Shifts Assumption, which posits that adversarial perturbations induce large, localized violations of layer-wise Lipschitz continuity in a small subset of layers. Building on this, we propose two complementary strategies--Recovery Testing (RT) and Logit-layer Testing (LT)--to empirically measure these violations and expose internal disruptions caused by adversaries. Evaluated on CIFAR-10, CIFAR-100, and ImageNet under both standard and adaptive threat models, our method achieves state-of-the-art detection performance with negligible computational overhead. Furthermore, our system-level analysis provides a practical method for selecting a detection threshold with a formal lower-bound guarantee on accuracy. The code is available here: https://github.com/c0510gy/AFLS-AED.

A Few Large Shifts: Layer-Inconsistency Based Minimal Overhead Adversarial Example Detection

TL;DR

The paper tackles adversarial detection by proposing a self-contained, plug-in detector that relies on layer-wise inconsistencies within the target model. It introduces the A Few Large Shifts Assumption and two probes, Recovery Testing (RT) and Logit-layer Testing (LT), fused into the RLT score and calibrated using benign data. Empirical results on CIFAR-10/100 and ImageNet show state-of-the-art detection performance under standard and adaptive attacks with minimal overhead, and a formal system-level threshold analysis provides guaranteed lower bounds on accuracy. The approach is architecture-agnostic, scalable, and readily deployable, offering a practical defense that does not rely on external models or adversarial data for training.

Abstract

Deep neural networks (DNNs) are highly susceptible to adversarial examples--subtle, imperceptible perturbations that can lead to incorrect predictions. While detection-based defenses offer a practical alternative to adversarial training, many existing methods depend on external models, complex architectures, or adversarial data, limiting their efficiency and generalizability. We introduce a lightweight, plug-in detection framework that leverages internal layer-wise inconsistencies within the target model itself, requiring only benign data for calibration. Our approach is grounded in the A Few Large Shifts Assumption, which posits that adversarial perturbations induce large, localized violations of layer-wise Lipschitz continuity in a small subset of layers. Building on this, we propose two complementary strategies--Recovery Testing (RT) and Logit-layer Testing (LT)--to empirically measure these violations and expose internal disruptions caused by adversaries. Evaluated on CIFAR-10, CIFAR-100, and ImageNet under both standard and adaptive threat models, our method achieves state-of-the-art detection performance with negligible computational overhead. Furthermore, our system-level analysis provides a practical method for selecting a detection threshold with a formal lower-bound guarantee on accuracy. The code is available here: https://github.com/c0510gy/AFLS-AED.
Paper Structure (54 sections, 6 theorems, 46 equations, 5 figures, 27 tables, 1 algorithm)

This paper contains 54 sections, 6 theorems, 46 equations, 5 figures, 27 tables, 1 algorithm.

Key Result

Theorem 1

Under assump:few_shifts, we assume that $\mathcal{T} \subseteq \{f_1, \dots, f_{L-1}\}$ contains one or more intermediate layers where adversarial perturbations induce disproportionately large shifts. These shifts lead to elevated reconstruction residuals, which RT is designed to detect. Let $x^{\ma

Figures (5)

  • Figure 1: Illustration of A Few Large Shifts Assumption--an assumption on a few large perturbation shifts on a simple target classifier causes vulnerable manifolds that can trigger an unexpected transition to a different manifold space. Leveraging these vulnerable regions, an adversarial sample is crafted using an attack algorithm that applies perturbation noise, causing the original sample to shift from the cat class manifold to the dog class manifold through transitions occurring at specific targeted layers.
  • Figure 2: Overview of our layer-wise adversarial detection framework. (Left) Recovery Testing (RT) trains regressors $R^{(L \rightarrow k)}$ to reconstruct intermediate features $z_k$ from the final embedding $z_L$; detection is based on the entropy-weighted reconstruction error $\|z_k - R^{(L \rightarrow k)}(z_L)\|_2^2$. (Right) Logit-layer Testing (LT) applies perturbations $W^{(g)}$ to compute feature and logit discrepancies, $\Delta z^{(g)} = \|z_i - z_i^{(g)}\|_2^2$ and $\Delta \ell^{(g)} = \|o(\sigma(\ell)) - \sigma(\ell^{(g)})\|_2^2$, which are combined as $\frac{H(\sigma(\ell)) \Delta \ell^{(g)}}{\Delta z^{(g)}}$. Final RT and LT scores are averaged over $g$. (Bottom) Recovery and Logit Testing (RLT) integrates RT and LT scores using a linear combination after quantile normalization.
  • Figure 3: Empirical validation of the A Few Large Shifts Assumption using CIFAR-10 and ResNet-110. We plot layer-wise error distributions $\sigma(e_k)$ under different attack methods.
  • Figure 4: Ablation study showing AUC (%) of RT, LT, and RLT under varying perturbation budgets ($\epsilon \in \{0.01, 0.02, \cdots, 0.1\}$) across multiple standard attack types (FGSM, PGD, AutoAttack, Square). Evaluated on CIFAR-10 using a ResNet-110 classifier and detection models trained with fewer epochs for efficiency.
  • Figure 5: Empirical distributions of individual terms used in our detection metrics, evaluated on CIFAR-10 with a ResNet-110 model under FGSM attack ($\epsilon = 0.05$). Scores are squared and normalized using quantile normalization based on clean test samples.

Theorems & Definitions (12)

  • Theorem 1: RT Detects Adversarial Residuals
  • Theorem 2: Logit Instability under Augmentation
  • Theorem 3: Amplified Logit Sensitivity
  • Theorem 4: RLT Separates Adversaries
  • proof
  • proof
  • proof
  • proof
  • Theorem 5
  • proof
  • ...and 2 more