Skip to main content

Defending Against Universal Attacks Through Selective Feature Regeneration

Author(s): Borkar, Tejas; Heide, Felix; Karam, Lina

Download
To refer to this page use: http://arks.princeton.edu/ark:/88435/pr1zv7r
Full metadata record
DC FieldValueLanguage
dc.contributor.authorBorkar, Tejas-
dc.contributor.authorHeide, Felix-
dc.contributor.authorKaram, Lina-
dc.date.accessioned2021-10-08T19:46:44Z-
dc.date.available2021-10-08T19:46:44Z-
dc.date.issued2020en_US
dc.identifier.citationBorkar, Tejas, Felix Heide, and Lina Karam. "Defending Against Universal Attacks Through Selective Feature Regeneration." In IEEE/CVF Conference on Computer Vision and Pattern Recognition (2020): pp. 706-716. doi:10.1109/CVPR42600.2020.00079en_US
dc.identifier.issn1063-6919-
dc.identifier.urihttps://openaccess.thecvf.com/content_CVPR_2020/papers/Borkar_Defending_Against_Universal_Attacks_Through_Selective_Feature_Regeneration_CVPR_2020_paper.pdf-
dc.identifier.urihttp://arks.princeton.edu/ark:/88435/pr1zv7r-
dc.description.abstractDeep neural network (DNN) predictions have been shown to be vulnerable to carefully crafted adversarial perturbations. Specifically, image-agnostic (universal adversarial) perturbations added to any image can fool a target network into making erroneous predictions. Departing from existing defense strategies that work mostly in the image domain, we present a novel defense which operates in the DNN feature domain and effectively defends against such universal perturbations. Our approach identifies pre-trained convolutional features that are most vulnerable to adversarial noise and deploys trainable feature regeneration units which transform these DNN filter activations into resilient features that are robust to universal perturbations. Regenerating only the top 50% adversarially susceptible activations in at most 6 DNN layers and leaving all remaining DNN activations unchanged, we outperform existing defense strategies across different network architectures by more than 10% in restored accuracy. We show that without any additional modification, our defense trained on ImageNet with one type of universal attack examples effectively defends against other types of unseen universal attacks.en_US
dc.format.extent706 - 716en_US
dc.language.isoen_USen_US
dc.relation.ispartofIEEE/CVF Conference on Computer Vision and Pattern Recognitionen_US
dc.rightsAuthor's manuscripten_US
dc.titleDefending Against Universal Attacks Through Selective Feature Regenerationen_US
dc.typeConference Articleen_US
dc.identifier.doi10.1109/CVPR42600.2020.00079-
dc.identifier.eissn2575-7075-
pu.type.symplectichttp://www.symplectic.co.uk/publications/atom-terms/1.0/conference-proceedingen_US

Files in This Item:
File Description SizeFormat 
DefendingAgainstAttacksSelectiveFeatureRegeneration.pdf2.11 MBAdobe PDFView/Download


Items in OAR@Princeton are protected by copyright, with all rights reserved, unless otherwise indicated.