Jedi: Entropy-Based Localization and Removal ...
Type de document :
Communication dans un congrès avec actes
Titre :
Jedi: Entropy-Based Localization and Removal of Adversarial Patches
Auteur(s) :
Tarchoun, Bilel [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Khalifa, Anouar Ben [Auteur]
Université de Sousse
Mahjoub, Mohamed Ali [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Abu-Ghazaleh, Nael [Auteur]
University of California [Riverside] [UC Riverside]
Alouani, Lihsen [Auteur]
COMmunications NUMériques - IEMN [COMNUM - IEMN]
Université Polytechnique Hauts-de-France [UPHF]
Queen's University [Belfast] [QUB]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Khalifa, Anouar Ben [Auteur]
Université de Sousse
Mahjoub, Mohamed Ali [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Abu-Ghazaleh, Nael [Auteur]
University of California [Riverside] [UC Riverside]
Alouani, Lihsen [Auteur]
COMmunications NUMériques - IEMN [COMNUM - IEMN]
Université Polytechnique Hauts-de-France [UPHF]
Queen's University [Belfast] [QUB]
Titre de la manifestation scientifique :
2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)
Ville :
Vancouver
Pays :
Canada
Date de début de la manifestation scientifique :
2023-06-17
Éditeur :
IEEE
Discipline(s) HAL :
Informatique [cs]/Vision par ordinateur et reconnaissance de formes [cs.CV]
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Résumé en anglais : [en]
Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features ...
Lire la suite >Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).Lire moins >
Lire la suite >Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).Lire moins >
Langue :
Anglais
Comité de lecture :
Oui
Audience :
Internationale
Vulgarisation :
Non
Projet Européen :
Source :
Fichiers
- 2304.10029
- Accès libre
- Accéder au document
- document
- Accès libre
- Accéder au document
- 2304.10029v1.pdf
- Accès libre
- Accéder au document