Fast Locally Optimal Detection of Targeted Universal Adversarial Perturbations.

This paper proposes a locally-optimal generalized likelihood ratio test (LO-GLRT) for detecting targeted attacks on a classifier, where the attacks add a norm-bounded targeted universal adversarial perturbation (UAP) to the classifier’s input. The paper includes both an analysis of the test as well as its empirical evaluation. The analysis provides an expression for the approximate lower bound of the detection probability, and the empirical evaluation shows this approximation to be similar to the actual detection probability. Since the LO-GLRT requires the score function of the input distribution, which is usually unknown in practice, we study the LO-GLRT for a learned surrogate input distribution. Specifically, we use a Gaussian distribution over the input subvectors as the surrogate distribution, for its mathematical tractability and computational efficiency. We evaluate the detector for several popular image classifiers and datasets, and compare the statistical and computational performance with the perturbation rectifying network (PRN) detector, another successful approach for detecting the UAPs. The LO-GLRT outperforms the PRN detector on both counts, with a running time at least 100 times lower than that of the PRN detector. [ABSTRACT FROM AUTHOR]

Copyright of IEEE Transactions on Information Forensics & Security is the property of IEEE and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)