Jedi: Entropy-Based Localization and Removal ...
Document type :
Communication dans un congrès avec actes
Title :
Jedi: Entropy-Based Localization and Removal of Adversarial Patches
Author(s) :
Tarchoun, Bilel [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Khalifa, Anouar Ben [Auteur]
Université de Sousse
Mahjoub, Mohamed Ali [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Abu-Ghazaleh, Nael [Auteur]
University of California [Riverside] [UC Riverside]
Alouani, Lihsen [Auteur]
COMmunications NUMériques - IEMN [COMNUM - IEMN]
Université Polytechnique Hauts-de-France [UPHF]
Queen's University [Belfast] [QUB]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Khalifa, Anouar Ben [Auteur]
Université de Sousse
Mahjoub, Mohamed Ali [Auteur]
Laboratory of Advanced Technology and Intelligent Systems [LATIS]
Université de Sousse
Abu-Ghazaleh, Nael [Auteur]
University of California [Riverside] [UC Riverside]
Alouani, Lihsen [Auteur]
COMmunications NUMériques - IEMN [COMNUM - IEMN]
Université Polytechnique Hauts-de-France [UPHF]
Queen's University [Belfast] [QUB]
Conference title :
2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2023)
City :
Vancouver
Country :
Canada
Start date of the conference :
2023-06-17
Publisher :
IEEE
HAL domain(s) :
Informatique [cs]/Vision par ordinateur et reconnaissance de formes [cs.CV]
Informatique [cs]/Cryptographie et sécurité [cs.CR]
Informatique [cs]/Cryptographie et sécurité [cs.CR]
English abstract : [en]
Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features ...
Show more >Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).Show less >
Show more >Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).Show less >
Language :
Anglais
Peer reviewed article :
Oui
Audience :
Internationale
Popular science :
Non
European Project :
Source :
Files
- 2304.10029
- Open access
- Access the document
- document
- Open access
- Access the document
- 2304.10029v1.pdf
- Open access
- Access the document