| dc.description.abstract | Adversarial attacks pose a serious threat to the use of deep learning in computer vision. This
thesis addresses two primary questions: whether a single detection method can effectively
handle multiple types of adversarial attacks, and whether combining global and localised features enhances the detection of adversarial attacks.
The proposed method integrates a ResNet-18-based global branch with a local branch, using
local patches with a shallow CNN, along with a fusion branch that combines both representations to make a more fine-grained prediction. We perform experiments using DPatch (a
localised attack) and PGD (a global gradient-based attack) to evaluate how each component
contributes to detection performance.
Our results demonstrate that ResNet-18 already serves as a strong baseline for detecting adversarial attacks. Using explainable AI techniques, we observed that the model focuses on
local patches for its decision-making. Global attacks are more challenging to explain using
xAI, so we conducted a deeper analysis. This demonstrated that the global branch learns highfrequency patterns to distinguish between clean and adversarial examples. When adversarial
noise resembles adversarial attacks, the model becomes more brittle and misclassifies these
hard-negative cases, indicating that adversarial detection methods should incorporate and
utilise non-adversarial examples as a robustness test. The use of cross-entropy was found to
be not expressive enough in forming meaningful features in the latent space of the convolution layers. It suggests that the model may learn shortcuts or memorization. The use of
contrastive learning emphasises an adversarial detector to learn these important features.
We also demonstrated that the local branch can effectively detect attacks using only small
patches of the image, showing that neural networks can classify adversarial examples with
limited input. Since patch-wise detection is not widely studied in the literature, we conducted
an ablation study focusing on the number of patches, patch size, and the aggregation function.
The key finding is that self-attention significantly improves the local branch’s performance,
surpassing the benefits of increasing the patch size or number of patches during the extraction
of local patches from the input image. Accuracy-wise, the local branch can compete with the
global ResNet approach, achieving an overall accuracy of 81%.
The fusion of global and local features resulted in improved overall detection accuracy, increasing from 81% with ResNet-18 to 91%. It did not lead to more discriminative features,
especially for global attacks in combination with hard-negative examples of non-adversarial
noise. All branches performed well on localised attacks. These findings suggest that combining global and local feature extraction is a promising direction for adversarial detection;
however, further research on global gradient-based attacks is needed to understand the limitations of this approach better. | |
