Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
121 tokens/sec
GPT-4o
9 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Embodied Active Defense: Leveraging Recurrent Feedback to Counter Adversarial Patches (2404.00540v1)

Published 31 Mar 2024 in cs.CV and cs.AI

Abstract: The vulnerability of deep neural networks to adversarial patches has motivated numerous defense strategies for boosting model robustness. However, the prevailing defenses depend on single observation or pre-established adversary information to counter adversarial patches, often failing to be confronted with unseen or adaptive adversarial attacks and easily exhibiting unsatisfying performance in dynamic 3D environments. Inspired by active human perception and recurrent feedback mechanisms, we develop Embodied Active Defense (EAD), a proactive defensive strategy that actively contextualizes environmental information to address misaligned adversarial patches in 3D real-world settings. To achieve this, EAD develops two central recurrent sub-modules, i.e., a perception module and a policy module, to implement two critical functions of active vision. These models recurrently process a series of beliefs and observations, facilitating progressive refinement of their comprehension of the target object and enabling the development of strategic actions to counter adversarial patches in 3D environments. To optimize learning efficiency, we incorporate a differentiable approximation of environmental dynamics and deploy patches that are agnostic to the adversary strategies. Extensive experiments demonstrate that EAD substantially enhances robustness against a variety of patches within just a few steps through its action policy in safety-critical tasks (e.g., face recognition and object detection), without compromising standard accuracy. Furthermore, due to the attack-agnostic characteristic, EAD facilitates excellent generalization to unseen attacks, diminishing the averaged attack success rate by 95 percent across a range of unseen adversarial attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (78)
  1. Martín Abadi. Tensorflow: learning functions at scale. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, pp.  1–1, 2016.
  2. Active vision. International journal of computer vision, 1:333–356, 1988.
  3. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning, pp. 274–283. PMLR, 2018a.
  4. Synthesizing robust adversarial examples. In International conference on machine learning, pp. 284–293. PMLR, 2018b.
  5. Ruzena Bajcsy. Active perception. Proceedings of the IEEE, 76(8):966–1005, 1988.
  6. The im algorithm: a variational approach to information maximization. Advances in neural information processing systems, 16(320):201, 2004.
  7. Estimating or propagating gradients through stochastic neurons for conditional computation. arXiv preprint arXiv:1308.3432, 2013.
  8. Adversarial patch. arXiv preprint arXiv:1712.09665, 2017.
  9. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pp. 39–57. Ieee, 2017.
  10. Efficient geometry-aware 3d generative adversarial networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  16123–16133, 2022.
  11. Seal: Self-supervised embodied active learning using exploration and 3d consistency. Advances in neural information processing systems, 34:13086–13098, 2021.
  12. Decision transformer: Reinforcement learning via sequence modeling. Advances in neural information processing systems, 34:15084–15097, 2021.
  13. Training deep nets with sublinear memory cost. arXiv preprint arXiv:1604.06174, 2016.
  14. Proactive multi-camera collaboration for 3d human pose estimation. arXiv preprint arXiv:2303.03767, 2023.
  15. Embodied question answering. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  1–10, 2018.
  16. Arcface: Additive angular margin loss for deep face recognition. In CVPR, 2019.
  17. Libre: A practical bayesian approach to adversarial detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp.  972–982, 2021.
  18. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  9185–9193, 2018.
  19. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  4312–4321, 2019.
  20. Carla: An open urban driving simulator. In Conference on robot learning, pp.  1–16. PMLR, 2017.
  21. Recovering 6d object pose and predicting next-best-view in the crowd. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  3583–3592, 2016.
  22. Improved residual networks for image and video recognition. In 2020 25th International Conference on Pattern Recognition (ICPR), pp.  9415–9422. IEEE, 2021.
  23. A study of the effect of jpg compression on adversarial images. arXiv preprint arXiv:1608.00853, 2016.
  24. Adversarial examples that fool both computer vision and time-limited humans. Advances in neural information processing systems, 31, 2018.
  25. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp.  1625–1634, 2018.
  26. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  27. Improving robustness using generated data. Advances in Neural Information Processing Systems, 34:4218–4233, 2021.
  28. Ms-celeb-1m: A dataset and benchmark for large-scale face recognition. In Computer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11-14, 2016, Proceedings, Part III 14, pp.  87–102. Springer, 2016.
  29. Jamie Hayes. On visible adversarial perturbations & digital watermarking. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pp.  1597–1604, 2018.
  30. Mask r-cnn. In Proceedings of the IEEE international conference on computer vision, pp.  2961–2969, 2017.
  31. Labeled faces in the wild: A database for studying face recognition in unconstrained environments. Technical Report 07-49, University of Massachusetts, Amherst, October 2007.
  32. Aligning where to see and what to tell: image caption with region-based attention and scene factorization. arXiv preprint arXiv:1506.06272, 2015.
  33. Ya Jing and Tao Kong. Learning to explore informative trajectories and samples for embodied perception. arXiv preprint arXiv:2303.10936, 2023.
  34. ultralytics/yolov5: v5. 0-yolov5-p6 1280 models, aws, supervise. ly and youtube integrations. Zenodo, 2021.
  35. Evidence that recurrent circuits are critical to the ventral stream’s execution of core object recognition behavior. Nature neuroscience, 22(6):974–983, 2019.
  36. Differentiable rendering: A survey. arXiv preprint arXiv:2006.12057, 2020.
  37. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980, 2014.
  38. Less is more: expectation sharpens representations in the primary visual cortex. Neuron, 75(2):265–270, 2012.
  39. Interactron: Embodied adaptive object detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  14860–14869, 2022.
  40. Perceptual adversarial robustness: Defense against unseen threat models. arXiv preprint arXiv:2006.12655, 2020.
  41. Exploring the vulnerability of single shot module in object detectors via imperceptible background patches. arXiv preprint arXiv:1809.05966, 2018.
  42. Microsoft coco: Common objects in context. In Computer Vision–ECCV 2014: 13th European Conference, Zurich, Switzerland, September 6-12, 2014, Proceedings, Part V 13, pp. 740–755. Springer, 2014.
  43. Segment and complete: Defending object detectors against adversarial patch attacks with robust patch detection. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  14973–14982, 2022.
  44. Large-scale celebfaces attributes (celeba) dataset. Retrieved August, 15(2018):11, 2018.
  45. Sqa3d: Situated question answering in 3d scenes. arXiv preprint arXiv:2210.07474, 2022.
  46. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  47. Local gradients smoothing: Defense against localized adversarial attacks. In 2019 IEEE Winter Conference on Applications of Computer Vision (WACV), pp.  1300–1307. IEEE, 2019.
  48. CARLA-GeAR: a Dataset Generator for a Systematic Evaluation of Adversarial Robustness of Vision Models. arXiv e-prints, art. arXiv:2206.04365, June 2022.
  49. Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748, 2018.
  50. Pytorch: An imperative style, high-performance deep learning library. Advances in neural information processing systems, 32, 2019.
  51. Lecture notes on information theory. Lecture Notes for ECE563 (UIUC) and, 6(2012-2016):7, 2014.
  52. Learning transferable visual models from natural language supervision. In International conference on machine learning, pp. 8748–8763. PMLR, 2021.
  53. Adversarial training against location-optimized adversarial patches. In Computer Vision–ECCV 2020 Workshops: Glasgow, UK, August 23–28, 2020, Proceedings, Part V 16, pp.  429–448. Springer, 2020.
  54. U-net: Convolutional networks for biomedical image segmentation. In Medical Image Computing and Computer-Assisted Intervention–MICCAI 2015: 18th International Conference, Munich, Germany, October 5-9, 2015, Proceedings, Part III 18, pp.  234–241. Springer, 2015.
  55. Adversarial manipulation of deep representations. arXiv preprint arXiv:1511.05122, 2015.
  56. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In Proceedings of the 2016 acm sigsac conference on computer and communications security, pp.  1528–1540, 2016.
  57. Understanding measures of uncertainty for adversarial example detection. arXiv preprint arXiv:1803.08533, 2018.
  58. Physical adversarial examples for object detectors. In 12th USENIX workshop on offensive technologies (WOOT 18), 2018.
  59. Is robustness the cost of accuracy?–a comprehensive study on the robustness of 18 deep image classification models. In Proceedings of the European conference on computer vision (ECCV), pp.  631–648, 2018.
  60. Nigel JT Thomas. Are theories of imagery theories of imagination? an active perception approach to conscious mental content. Cognitive science, 23(2):207–245, 1999.
  61. Fooling automated surveillance cameras: adversarial patches to attack person detection. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition workshops, pp.  0–0, 2019.
  62. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems, 33:1633–1645, 2020.
  63. Paul J Werbos. Backpropagation through time: what it does and how to do it. Proceedings of the IEEE, 78(10):1550–1560, 1990.
  64. An efficient gradient-based algorithm for on-line training of recurrent network trajectories. Neural computation, 2(4):490–501, 1990.
  65. Fast is better than free: Revisiting adversarial training. arXiv preprint arXiv:2001.03994, 2020.
  66. Defending against physically realizable attacks on image classification. arXiv preprint arXiv:1909.09552, 2019.
  67. Patchguard: A provably robust defense against adversarial patches via small receptive fields and masking. In USENIX Security Symposium, pp.  2237–2254, 2021.
  68. Improving transferability of adversarial patches on face recognition with generative models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  11845–11854, 2021.
  69. Adversarial t-shirt! evading person detectors in a physical world. In Computer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part V 16, pp.  665–681. Springer, 2020.
  70. Patchzero: Defending against adversarial patch attacks by detecting and zeroing the patch. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pp.  4632–4641, 2023.
  71. Embodied amodal recognition: Learning to move to perceive objects. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  2040–2050, 2019.
  72. Adversarial attacks on face recognition. In Handbook of Face Recognition, pp.  387–404. Springer, 2023.
  73. Controllable evaluation and generation of physical adversarial patch on face recognition. arXiv preprint arXiv:2203.04623, 2022.
  74. Towards effective adversarial textured 3d meshes on physical face recognition. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp.  4119–4128, 2023.
  75. Towards adversarially robust object detection. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pp.  421–430, 2019.
  76. Seeing isn’t believing: Towards more robust adversarial attack against real world object detectors. In Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp.  1989–2004, 2019.
  77. Generative visual manipulation on the natural image manifold. In Computer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11-14, 2016, Proceedings, Part V 14, pp.  597–613. Springer, 2016.
  78. Understanding the robustness of 3d object detection with bird’s-eye-view representations in autonomous driving. arXiv preprint arXiv:2303.17297, 2023.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets