A Defense against Adversarial Patch Attacks via Masking on CNN Activation Maps

Abstract

Adversarial examples, inputs indistinguishable by humans from natural data but classified incorrectly by deep neural networks, is a worrying vulnerability in the viability of using neural network classifiers in security-critical computer systems. One class of these attacks are adversarial patch attacks. In such attacks, an adversary, through direct modification of the image or a physical sticker, controls a localized region of pixels, and tunes them to induce misclassification of the target machine learning model. Defending against these patch attacks is especially important due to the possibility for physically realizable attacks on real-world systems such as self-driving cars. This thesis proposes an empirically tested defense against adversarial patch attacks that improves on current state-of-the-art defenses using successive masking layers on the internal activation maps of the powerful ResNet CNN (Convolutional Neural Network) classifier. We test our defense on the CIFAR-10 data set, achieving 87.51% clean accuracy and 86.75% defended accuracy on a patch 5% of the image, higher than previously achieved. We also show a successful defense against a powerful adaptive adversary who knows the details of the defense model. Since this technique can be widely applied to any general CNN, this work shows a promising result for future progress in the field. We also hope that it will inspire future research in finding a strong and highly accurate provable robustness guarantee using this defense framework.

Code can be found at https://github.com/nicksum107/thesiswork