ACT-Detector: Adaptive channel transformation-based light-weighted detector for adversarial attacks

Abstract

With the extensive application of deep neural networks (DNNs) in computer vision tasks, the vulnerability of such systems to carefully crafted adversarial examples has attracted increasing attention. Although various adversarial defense methods have been proposed to improve the robustness of DNNs, the detection of adversarial examples remains challenging. Previous studies have demonstrated that adversarial examples are sensitive to channel transformation operations, such as rotate and resize, whereas clean examples are immune to them. The detection efficiency heavily relies on the numbers and types of transformation operations. Thus, we propose an adaptive channel transformation-based light-weighted detector known as the ACT-Detector, which selects approximately optimal channel transformation types and the minimal channel transformation number through a cuckoo search. The ACT-Detector can not only detect adversarial and clean examples but can also identify the type of attack, such as white-box and black-box attacks. Comprehensive experiments were performed on the MNIST, CIFAR10, and ImageNet datasets to verify the detection efficiency of the ACT-Detector. The ACT-Detector outperformed a detector containing 45 channel transformations, using only five channel transformations to achieve 99.05% and 98.8% detection rates on the MNIST and CIFAR10 datasets, respectively. This is because the ACT-Detector could select channels with different features, whereas the features in the 45 channels were redundant. By reducing the channel number, the total time required for the ACT-Detector to detect one example was approximately one-quarter that required for the detector with 45 channels during testing. Thus, the proposed detector is proven to be effective and efficient, which is valuable for the detection of adversarial examples.