DPG: a model to build feature subspace against adversarial patch attack

Abstract

Adversarial patch attacks in the physical world are a major threat to the application of deep learning. However, current research on adversarial patch defense algorithms focuses on image pre-processing defenses, it has been demonstrated that this defense reduces the classification accuracy of clean images and is unable to defend against physically realizable attacks. In this paper, we propose a defense patch GNN (DPG), using a new perspective for defending against adversarial patch attacks. First, we extract the input image features with the feature extraction to obtain a feature set. Then downsampling the feature set by applying the global average pooling layer to reduce the perturbation of the features by the adversarial patch. Finally, this paper proposes a graph-structured feature subspace to robust the feature performance. In addition, we design an optimization algorithm based on stochastic gradient descent (SGD), which can significantly increase the mode’s generalization ability. We demonstrate empirically the superior robustness of the DPG model on existing adversarial patch attacks. DPG shows without any accuracy loss in the prediction of clean images.

Appendices

Appendix 1: Adversarial patch attacks

This section contains additional details on adversarial attacks. Note that we use the Adversarial Patch, Robust Physical Perturbation and Adversarial Eyeglasses attacks to evaluate our defended models.

1.1 Attack algorithm

The untargeted adversarial patch attack can be expressed as the optimization problem shown below:

$$\begin{aligned} \textbf{x}'=\arg \max _{\textbf{x}'\in \mathcal {A}(\textbf{x})}\mathcal {L}(\mathcal {M}(\textbf{x}'),y) \end{aligned}$$

(8)

where M(x) is the prediction confidence of the final output of the model, y is the one-hot encoding of the current class, and \(\mathcal {L}\) refers to the cross-entropy loss, \(x'\) denotes our adversarial example that is attempting to maximize the loss. For the targeted attack with target class \(y' \ne y\), the main difference is that we aim to maximize the loss of the correct class while minimizing the loss of the target class, instead of merely maximizing the loss of the correct class:

$$\begin{aligned} \begin{array}{c}\underset{\delta \in \Delta }{\text {maximize}}(\ell (h_\theta (x+\delta ),y)-\ell (h_\theta (x+\delta ),y_{\text {target}}))\\ =\underset{\delta \in \Delta }{\text {maximize}}\Big (h_\theta (x+\delta )_{y\text {target}}-h_\theta (x+\delta )_y\Big )\end{array} \end{aligned}$$

(9)

1.2 Adversarial patch

The Adversarial Patch attack algorithm implements the attack by completely replacing a part of the image with a patch. During the training phase, random translation, scaling, and rotation are applied to the picture patch. With the aim to define the transformation t that transforms patch p initially and then positions patch p on the image x at location l, we form a patch application operator A(P, x, l, t).

We use a variant of the Expectation over Transformation (EOT) framework to train the patch to accomplish the attack. The purpose of EOT is to maximize the target class by constraining the effective distance between the adversarial sample and the input of the original sample, under the condition that the input image is transformed:

$$\begin{aligned} \begin{array}{ll}\underset{x'}{\text {argmax}}&{}\mathbb {E}_{t\sim T}[\log P(y_t|t(x'))]\\ {\text {subject to}}&{}\mathbb {E}_{t\sim T}[d(t(x'),t(x))]<\epsilon \\ {} &{}x\in [0,1]^d\end{array} \end{aligned}$$

(10)

where d(., .) represents the Euclidean distance in LAB space after the Lagrangian relaxation method, so the optimization function in the EOT framework is as follows:

$$\begin{aligned} \begin{array}{l}dist=||LAB(t(x'))-LAB(t(x))||_2\\ \underset{x'}{\text {argmax}}\mathbb {E}_{t\sim T}\Big [\log P(y_t|t(x')) -\lambda {\text {dist}}\Big ]\end{array} \end{aligned}$$

(11)

We use a variant of the EOT framework to obtain the trained patch \(\hat{p}\). The final objective function after reformulating by using the Lagrangian-relaxed form is as follows:

$$\begin{aligned} \widehat{p}=\underset{x'}{\text {argmax}}\mathbb {E}_{x\sim X,t\sim T,l\sim L}[\log \Pr (\widehat{y}|A(p,x,l,t)] \end{aligned}$$

(12)

1.3 Robust physical perturbation

Robust Physical Perturbation(RP2) is performed by using a mask to completely cover the target object with the adversarial patch attack; this mask is used to project the calculated perturbations to physical regions on the object’s surfaces. The optimization function is as follows:

$$\begin{aligned} \begin{array}{c}\underset{\delta }{\text {argmin}}\lambda ||M_x\cdot \delta ||_p+\mathbb {E}_{x_i\sim X^V}J(f_\theta (x_i+T_i(M_x\cdot \delta )),y^*)\end{array} \end{aligned}$$

(13)

Where \(T_i\) denotes the alignment function that maps transformations on the object to transformations on the perturbation. \(M_x\) means the perturbation mask. \(M_x\) contains zeroes in regions where no perturbation is added and ones in regions where the perturbation is added during optimization.

1.4 Adversarial eyeglasses

This attack algorithm build on Generative Adversarial Networks (GAN). We employ GAN to generate adversarial glasses. The whole optimization process is shown below:

$$\begin{aligned}{} & {} Loss_G(Z,D)=\sum \limits _{z\in Z}\lg \left( 1-D\bigl (G(z)\bigr )\right) \end{aligned}$$

(14)

$$\begin{aligned}{} & {} Gain_D(G,Z,data)=\sum \limits _{x\in data}\lg \left( D\big (x\big )\right) +\sum \limits _{z\in Z}\lg \left( 1-D\big (G(z)\big )\right) \end{aligned}$$

(15)

Formally, We use three Deep Neural Networks to generate our adversarial glasses: a generator, G; a discriminator, D; and a pre-trained DNN whose classification function is denoted by F(.). For an image x, G implements the generation of adversarial glasses by training a fooling F and minimizing the following objective function:

$$\begin{aligned} Loss_G(Z,D)-\kappa \cdot \sum \limits _{z\in Z}Loss_F(x+G(z)) \end{aligned}$$

(16)

For untargeted attack, the classifier corresponds to the following objective function:

$$\begin{aligned} Loss_F(x+G(z))=\sum \limits _{i\ne x}F_{c_i}(x+G(z))-F_{c_x}(x+G(z)) \end{aligned}$$

(17)

while for targeted attacks we use:

$$\begin{aligned} L o s s_{F}(x+G(z))=F_{c_{t}}(x+G(z))-\sum _{i\ne t}F_{c_{i}}(x+G(z)) \end{aligned}$$

(18)

Where \(F_c(.)\) is the DNN’s output for class c. By maximizing \(Loss_F\), the probability of the correct class decreases for untargeted attacks, whereas the probability of the target class increases for targeted attacks. Therefore, we generate the adversarial glasses samples by minimizing the objective function.

Appendix 2: Classification accuracy

Table 6 Classification accuracy of original classification models

Table 6 presents the classification accuracy of the original classification model on the three datasets. On the VGGFace dataset, the DPG model improves the accuracy by 20 and 12%, respectively, compared to the original classification model, but the classification accuracy decreases by 10% on the ResNet model.

Appendix 3: Inference time

Table 7 Inference time for different defense models

Table 7 reports the per-image inference time of different models on the VGGFace validation set. DPG defense model prediction with ResNet as a feature extraction module consumes the shortest time.