Enhancing Adversarial Detection for Multi-Type Attacks through Globalized and Localized Features
Summary
Adversarial attacks pose a serious threat to the use of deep learning in computer vision. This
thesis addresses two primary questions: whether a single detection method can effectively
handle multiple types of adversarial attacks, and whether combining global and localised features enhances the detection of adversarial attacks.
The proposed method integrates a ResNet-18-based global branch with a local branch, using
local patches with a shallow CNN, along with a fusion branch that combines both representations to make a more fine-grained prediction. We perform experiments using DPatch (a
localised attack) and PGD (a global gradient-based attack) to evaluate how each component
contributes to detection performance.
Our results demonstrate that ResNet-18 already serves as a strong baseline for detecting adversarial attacks. Using explainable AI techniques, we observed that the model focuses on
local patches for its decision-making. Global attacks are more challenging to explain using
xAI, so we conducted a deeper analysis. This demonstrated that the global branch learns highfrequency patterns to distinguish between clean and adversarial examples. When adversarial
noise resembles adversarial attacks, the model becomes more brittle and misclassifies these
hard-negative cases, indicating that adversarial detection methods should incorporate and
utilise non-adversarial examples as a robustness test. The use of cross-entropy was found to
be not expressive enough in forming meaningful features in the latent space of the convolution layers. It suggests that the model may learn shortcuts or memorization. The use of
contrastive learning emphasises an adversarial detector to learn these important features.
We also demonstrated that the local branch can effectively detect attacks using only small
patches of the image, showing that neural networks can classify adversarial examples with
limited input. Since patch-wise detection is not widely studied in the literature, we conducted
an ablation study focusing on the number of patches, patch size, and the aggregation function.
The key finding is that self-attention significantly improves the local branch’s performance,
surpassing the benefits of increasing the patch size or number of patches during the extraction
of local patches from the input image. Accuracy-wise, the local branch can compete with the
global ResNet approach, achieving an overall accuracy of 81%.
The fusion of global and local features resulted in improved overall detection accuracy, increasing from 81% with ResNet-18 to 91%. It did not lead to more discriminative features,
especially for global attacks in combination with hard-negative examples of non-adversarial
noise. All branches performed well on localised attacks. These findings suggest that combining global and local feature extraction is a promising direction for adversarial detection;
however, further research on global gradient-based attacks is needed to understand the limitations of this approach better.
Collections
Related items
Showing items related by title, author, creator and subject.
-
From Local Staple to Global Commodity: Assessing the Impacts of the Growing Global Demand for Quinoa on Bolivian Farmers’ Livelihoods with Special Reference to their Food Security
Ensor, Y.P. (2015)The choice of quinoa, as the focus of field research, came about as a result of articles appearing in the western media. Many of them reported that the growers of the Bolivian Altiplano were becoming impoverished and ... -
Eat local, think global? The role of local food production chains in the Netherlands in achieving sustainability through environmental awareness, attitude and behaviour.
Pleeging, E. (2013)Abstract This Bachelorthesis examines the role of local food production chains as a successful process in achieving sustainability through knowledge, awareness, attitude and behaviour. First of all, sustainable consumption ... -
Local Ownership and Poverty Reduction of Local Communities in the Global South- Perceived From a Postcolonial Perspective The Case of Malian Small Scale Development Projects
Eitjes, Quinten (2022)Development “aid” has in the last decades been rephrased into development “cooperation”, with a focus on the collaboration of the donor on the one side and the “ones to be helped” on the other (Di Ciommo, 2014). Among the ...