Defending from Physically-Realizable Adversarial Attacks through Internal Over-Activation Analysis

Authors

  • Giulio Rossolini Scuola Superiore Sant'Anna
  • Federico Nesti Scuola Superiore Sant'Anna
  • Fabio Brau Scuola Superiore Sant'Anna
  • Alessandro Biondi Scuola Superiore Sant'Anna
  • Giorgio Buttazzo Scuola Superiore Sant'Anna

DOI:

https://doi.org/10.1609/aaai.v37i12.26758

Keywords:

General

Abstract

This work presents Z-Mask, an effective and deterministic strategy to improve the adversarial robustness of convolutional networks against physically-realizable adversarial attacks. The presented defense relies on specific Z-score analysis performed on the internal network features to detect and mask the pixels corresponding to adversarial objects in the input image. To this end, spatially contiguous activations are examined in shallow and deep layers to suggest potential adversarial regions. Such proposals are then aggregated through a multi-thresholding mechanism. The effectiveness of Z-Mask is evaluated with an extensive set of experiments carried out on models for semantic segmentation and object detection. The evaluation is performed with both digital patches added to the input images and printed patches in the real world. The results confirm that Z-Mask outperforms the state-of-the-art methods in terms of detection accuracy and overall performance of the networks under attack. Furthermore, Z-Mask preserves its robustness against defense-aware attacks, making it suitable for safe and secure AI applications.
AAAI-23 Proceedings Cover

Downloads

Published

2023-06-26

How to Cite

Rossolini, G., Nesti, F., Brau, F., Biondi, A., & Buttazzo, G. (2023). Defending from Physically-Realizable Adversarial Attacks through Internal Over-Activation Analysis. Proceedings of the AAAI Conference on Artificial Intelligence, 37(12), 15064-15072. https://doi.org/10.1609/aaai.v37i12.26758

Issue

Vol. 37 No. 12: AAAI-23 Special Tracks

Section

AAAI Special Track on Safe and Robust AI