Table of Contents
Fetching ...

Rectifying Adversarial Examples Using Their Vulnerabilities

Fumiya Morimoto, Ryuto Morita, Satoshi Ono

TL;DR

The paper tackles the challenge of recovering original input labels from adversarial examples without additional training or domain-specific tuning. It introduces a detector-agnostic rectification method that repeatedly re-attacks detected AEs using white-box gradients to move them across the decision boundary toward the benign region. Across image and speech tasks, the method achieves high rectification rates against untargeted and targeted attacks, including black-box variants, and outperforms XAI-based and NLP-specific baselines. This approach offers a practical, modality-agnostic defense that can be integrated with existing detectors to enhance reliable label recovery in security-sensitive applications.

Abstract

Deep neural network-based classifiers are prone to errors when processing adversarial examples (AEs). AEs are minimally perturbed input data undetectable to humans posing significant risks to security-dependent applications. Hence, extensive research has been undertaken to develop defense mechanisms that mitigate their threats. Most existing methods primarily focus on discriminating AEs based on the input sample features, emphasizing AE detection without addressing the correct sample categorization before an attack. While some tasks may only require mere rejection on detected AEs, others necessitate identifying the correct original input category such as traffic sign recognition in autonomous driving. The objective of this study is to propose a method for rectifying AEs to estimate the correct labels of their original inputs. Our method is based on re-attacking AEs to move them beyond the decision boundary for accurate label prediction, effectively addressing the issue of rectifying minimally perceptible AEs created using white-box attack methods. However, challenge remains with respect to effectively rectifying AEs produced by black-box attacks at a distance from the boundary, or those misclassified into low-confidence categories by targeted attacks. By adopting a straightforward approach of only considering AEs as inputs, the proposed method can address diverse attacks while avoiding the requirement of parameter adjustments or preliminary training. Results demonstrate that the proposed method exhibits consistent performance in rectifying AEs generated via various attack methods, including targeted and black-box attacks. Moreover, it outperforms conventional rectification and input transformation methods in terms of stability against various attacks.

Rectifying Adversarial Examples Using Their Vulnerabilities

TL;DR

The paper tackles the challenge of recovering original input labels from adversarial examples without additional training or domain-specific tuning. It introduces a detector-agnostic rectification method that repeatedly re-attacks detected AEs using white-box gradients to move them across the decision boundary toward the benign region. Across image and speech tasks, the method achieves high rectification rates against untargeted and targeted attacks, including black-box variants, and outperforms XAI-based and NLP-specific baselines. This approach offers a practical, modality-agnostic defense that can be integrated with existing detectors to enhance reliable label recovery in security-sensitive applications.

Abstract

Deep neural network-based classifiers are prone to errors when processing adversarial examples (AEs). AEs are minimally perturbed input data undetectable to humans posing significant risks to security-dependent applications. Hence, extensive research has been undertaken to develop defense mechanisms that mitigate their threats. Most existing methods primarily focus on discriminating AEs based on the input sample features, emphasizing AE detection without addressing the correct sample categorization before an attack. While some tasks may only require mere rejection on detected AEs, others necessitate identifying the correct original input category such as traffic sign recognition in autonomous driving. The objective of this study is to propose a method for rectifying AEs to estimate the correct labels of their original inputs. Our method is based on re-attacking AEs to move them beyond the decision boundary for accurate label prediction, effectively addressing the issue of rectifying minimally perceptible AEs created using white-box attack methods. However, challenge remains with respect to effectively rectifying AEs produced by black-box attacks at a distance from the boundary, or those misclassified into low-confidence categories by targeted attacks. By adopting a straightforward approach of only considering AEs as inputs, the proposed method can address diverse attacks while avoiding the requirement of parameter adjustments or preliminary training. Results demonstrate that the proposed method exhibits consistent performance in rectifying AEs generated via various attack methods, including targeted and black-box attacks. Moreover, it outperforms conventional rectification and input transformation methods in terms of stability against various attacks.
Paper Structure (36 sections, 13 equations, 7 figures, 11 tables, 3 algorithms)

This paper contains 36 sections, 13 equations, 7 figures, 11 tables, 3 algorithms.

Figures (7)

  • Figure 1: Use case of our proposed method for road sign recognition in autonomous driving gnanasambandam2021optical.
  • Figure 2: Example AE illustrated by Goodfellow et al. goodfellow2014explaining.
  • Figure 3: Conceptual interpretation of the proposed method.
  • Figure 4: Relationship between our proposed method and AE detection method.
  • Figure 5: Example AEs rectified by our method re-attacking with FSGM in Experiment 1a. The labels in parentheses represent the recognition results by the classifier.
  • ...and 2 more figures