Adversarial and Clean Data Are Not Twins

by   Zhitao Gong, et al.

Adversarial attack has cast a shadow on the massive success of deep neural networks. Despite being almost visually identical to the clean data, the adversarial images can fool deep neural networks into wrong predictions with very high confidence. In this paper, however, we show that we can build a simple binary classifier separating the adversarial apart from the clean data with accuracy over 99 robust to a second-round adversarial attack. In other words, it is difficult to disguise adversarial samples to bypass the binary classifier. Further more, we empirically investigate the generalization limitation which lingers on all current defensive methods, including the binary classifier approach. And we hypothesize that this is the result of intrinsic property of adversarial crafting algorithms.



There are no comments yet.


page 2


Towards Adversarial Training with Moderate Performance Improvement for Neural Network Classification

It has been demonstrated that deep neural networks are prone to noisy ex...

DAmageNet: A Universal Adversarial Dataset

It is now well known that deep neural networks (DNNs) are vulnerable to ...

Deep Probabilistic Models to Detect Data Poisoning Attacks

Data poisoning attacks compromise the integrity of machine-learning mode...

Generalized Adversarial Distances to Efficiently Discover Classifier Errors

Given a black-box classification model and an unlabeled evaluation datas...

Understanding Misclassifications by Attributes

In this paper, we aim to understand and explain the decisions of deep ne...

Uniform Convergence, Adversarial Spheres and a Simple Remedy

Previous work has cast doubt on the general framework of uniform converg...

Non-Intrusive Detection of Adversarial Deep Learning Attacks via Observer Networks

Recent studies have shown that deep learning models are vulnerable to sp...

Code Repositories


It turns out that adversarial and clean data are not twins, not at all.

view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Deep neural networks have been successfully adopted to many life critical areas, e.g., skin cancer detection (Esteva et al., 2017), auto-driving (Santana & Hotz, 2016), traffic sign classification (CireşAn et al., 2012), etc. A recent study (Szegedy et al., 2013), however, discovered that deep neural networks are susceptible to adversarial images. Figure 1 shows an example of adversarial images generated via fast gradient sign method (Kurakin et al., 2016, 2016) on MNIST. As we can see that although the adversarial and original clean images are almost identical from the perspective of human beings, the deep neural network will produce wrong predictions with very high confidence. Similar techniques can easily fool the image system into mistaking a stop sign for a yield sign, a dog for a automobile, for example. When leveraged by malicious users, these adversarial images pose a great threat to the deep neural network systems.

Figure 1:

The adversarial images (second row) are generated from the first row via iterative FGSM. The label of each image is shown below with prediction probability in parenthesis. Our model achieves less then 1% error rate on the clean data.

Although adversarial and clean images appear visually indiscernible, their subtle differences can successfully fool the deep neural networks. This means that deep neural networks are sensitive to these subtle differences. So an intuitively question to ask is: can we leverage these subtle differences to distinguish between adversarial and clean images? Our experiment suggests the answer is positive. In this paper we demonstrate that a simple binary classifier can separate the adversarial from the original clean images with very high accuracy (over 99%). However, we also show that the binary classifier approach suffers from the generalization limitation, i.e., it is sensitive 1) to a hyper-parameter used in crafting adversarial dataset, and 2) to different adversarial crafting algorithms. In addition to that, we also discovered that this limitation is also shared among other proposed methods against adversarial attacking, e.g., defensive retraining (Huang et al., 2015; Kurakin et al., 2016), knowledge distillation (Papernot et al., 2015b), etc. We empirically investigate the limitation and propose the hypothesis that the adversarial and original dataset are, in effect, two completely different datasets, despite being visually similar.

This article is organized as follows. In Section 2, we give an overview of the current research in adversarial attack and defense, with a focus on deep neural networks. Then, it is followed by a brief summary of the state-of-the-art adversarial crafting algorithms in Section 3. Section 4 presents our experiment results and detailed discussions. And we conclude in Section 5.

2 Related Work

The adversarial image attack on deep neural networks was first investigated in (Szegedy et al., 2013). The authors discovered that when added some imperceptible carefully chosen noise, an image may be wrongly classified with high confidence by a well-trained deep neural network. They also proposed an adversarial crafting algorithm based on optimization. We will briefly summarize it in section 3. They also proposed the hypothesis that the adversarial samples exist as a result of the high nonlinearity of deep neural network models.

However, (Goodfellow et al., 2014) proposed a counter-intuitive hypothesis explaining the cause of adversarial samples. They argued that adversarial samples are caused by the models being too linear, rather than nonlinear. They proposed two adversarial crafting algorithms based on this hypothesis, i.e., fast gradient sign method (FGSM) and least-likely class method (LLCM) (Goodfellow et al., 2014). The least-likely class method is later generalized to target class gradient sign method (TGSM) in (Kurakin et al., 2016).

(Papernot et al., 2015a) proposed another gradient based adversarial algorithm, the Jacobian-based saliency map approach (JSMA) which can successfully alter the label of an image to any desired category.

The adversarial images have been shown to be transferable among deep neural networks (Szegedy et al., 2013; Kurakin et al., 2016). This poses a great threat to current learning systems in that the attacker needs not the knowledge of the target system. Instead, the attacker can train a different model to create adversarial samples which are still effective for the target deep neural networks. What’s worse, (Papernot et al., 2016)

has shown that adversarial samples are even transferable among different machine learning techniques, e.g., deep neural networks, support vector machine, decision tree, logistic regression, etc.

Small steps have been made towards the defense of adversarial images. (Kurakin et al., 2016) shows that some image transformations, e.g., Gaussian noise, Gaussian filter, JPEG compression, etc., can effectively recover over 80% of the adversarial images. However, in our experiment, the image transformation defense does not perform well on images with low resolution, e.g., MNIST. Knowledge distillation is also shown to be an effective method against most adversarial images (Papernot et al., 2015b). The restrictions of defensive knowledge distillation are 1) that it only applies to models that produce categorical probabilities, and 2) that it needs model retraining. Adversarial training (Kurakin et al., 2016; Huang et al., 2015) was also shown to greatly enhance the model robustness to adversarials. However, as discussed in Section 4.2

, defensive distillation and adversarial training suffers from, what we call, the generalization limitations. Our experiment suggests this seems to be an intrinsic property of adversarial datasets.

3 Crafting Adversarials

The are mainly two categories of algorithms to generate adversarial samples, model independent and model dependent. We briefly summarize these two classes of methods in this section.

By conventions, we use

to represent input image set (usually a 3-dimension tensor), and

to represent the label set, usually one-hot encoded. Lowercase represents an individual data sample, e.g.,

for one input image. Subscript to data samples denotes one of its elements, e.g., denotes one pixel in the image, denotes probability for the -th target class. denotes the model, the model parameter,

the loss function. We use the superscript

adv to denote adversarial related variables, e.g., for one adversarial image. denotes the adversarial noise for one image, i.e., . For clarity, we also include the model used to craft the adversarial samples where necessary, e.g., denotes the adversarial samples created with model . denotes the image value domain, usually or . And is a scalar controlling the scale of the adversarial noise, another hyper-parameter to choose.

3.1 Model Independent Method

A box-constrained minimization algorithm based on L-BFGS was the first algorithm proposed to generate adversarial data (Szegedy et al., 2013). Concretely we want to find the smallest (in the sense of -norm) noise such that the adversarial image belongs to a different category, i.e., .


3.2 Model Dependent Methods

There are mainly three methods that rely on model gradient, i.e., fast gradient sign method (FGSM) (Kurakin et al., 2016), target class method (Kurakin et al., 2016, 2016) (TGSM) and Jacobian-based saliency map approach (JSMA) (Papernot et al., 2015a). We will see in Section 4 that despite that they all produce highly disguising adversarials, FGSM and TGSM produce compatible adversarial datasets which are complete different from adversarials generated via JSMA.

Fast Gradient Sign Method (FGSM)

FGSM tries to modify the input towards the direction where increases, i.e., , as shown in Equation 2.


Originally (Kurakin et al., 2016) proposes to generate adversarial samples by using the true label i.e., , which has been shown to suffer from the label leaking problem (Kurakin et al., 2016). Instead of true labels, (Kurakin et al., 2016) proposes to use the predicted label, i.e., , to generate adversarial examples.

This method can also be used iteratively as shown in Equation 3. Iterative FGSM has much higher success rate than the one-step FGSM. However, the iterative version is less robust to image transformation (Kurakin et al., 2016).


Target Class Gradient Sign Method (TGSM)

This method tries to modify the input towards the direction where increases.


Originally this method was proposed as the least-likely class method (Kurakin et al., 2016) where was chosen as the least-likely class predicted by the model as shown in Equation 5.


And it was extended to a more general case where could be any desired target class (Kurakin et al., 2016).

MNIST 0.9914 0.0213 1.00 1.00 0.00 1.00
CIFAR10 0.8279 0.1500 0.99 1.00 0.01 1.00
SVHN 0.9378 0.2453 1.00 1.00 0.00 1.00
Table 1: Accuracy on adversarial samples generated with FGSM/TGSM.

Jacobian-based Saliency Map Approach (JSMA)

Similar to the target class method, JSMA (Papernot et al., 2015a) allows to specify the desired target class. However, instead of adding noise to the whole input, JSMA changes only one pixel at a time. A saliency score is calculated for each pixel and pixel with the highest score is chosen to be perturbed.


Concretely, is the Jacobian value of the desired target class w.r.t an individual pixel, is the sum of Jacobian values of all non-target class. Intuitively, saliency score indicates the sensitivity of each output class w.r.t each individual pixel. And we want to perturb the pixel towards the direction where increases the most.

4 Experiment

Generally, we follow the steps below to test the effectiveness and limitation of the binary classifier approach.

  1. Train a deep neural network on the original clean training data , and craft adversarial dataset from the original clean data, , . is used to generate the attacking adversarial dataset which we want to filter out.

  2. Train a binary classifier on the combined (shuffled) training data , where is labeled 0 and labeled 1.

  3. Test the accuracy of on and , respectively.

  4. Construct second-round adversarial test data, and test accuracy on this new adversarial dataset. Concretely, we want to test whether we could find adversarial samples 1) that can successfully bypass the binary classifier , and 2) that can still fool the target model if they bypass the binary classifier. Since adversarial datasets are shown to be transferable among different machine learning techniques (Papernot et al., 2016), the binary classifier approach will be seriously flawed if failed this second-round attacking test.

The code to reproduce our experiment are available

4.1 Efficiency and Robustness of the Classifier

We evaluate the binary classifier approach on MNIST, CIFAR10, and SVHN datasets. Of all the datasets, the binary classifier achieved accuracy over 99% and was shown to be robust to a second-round adversarial attack. The results are summarized in Table 1. Each column denotes the model accuracy on the corresponding dataset. The direct conclusions from Table 1 are summarized as follows.

  1. Accuracy on and suggests that the binary classifier is very effective at separating adversarial from clean dataset. Actually during our experiment, the accuracy on is always near 1, while the accuracy on is either near 1 (successful) or near 0 (unsuccessful). Which means that the classifier either successfully detects the subtle difference completely or fails completely. We did not observe any values in between.

  2. Accuracy on suggests that we were not successful in disguising adversarial samples to bypass the the classifier. In other words, the binary classifier approach is robust to a second-round adversarial attack.

  3. Accuracy on suggests that in case of the second-round attack, the binary classifier has very high false negative. In other words, it tends to recognize them all as adversarials. This, does not pose a problem in our opinion. Since our main focus is to block adversarial samples.

4.2 Generalization Limitation

Before we conclude too optimistic about the binary classifier approach performance, however, we discover that it suffers from the generalization limitation.

  1. When trained to recognize adversarial dataset generated via FGSM/TGSM, the binary classifier is sensitive to the hyper-parameter .

  2. The binary classifier is also sensitive to the adversarial crafting algorithm.

In out experiment, the aforementioned limitations also apply to adversarial training (Kurakin et al., 2016; Huang et al., 2015) and defensive distillation (Papernot et al., 2015b).

Sensitivity to

Table 2 summarizes our tests on CIFAR10. For brevity, we use to denote that the classifier is trained on adversarial data generated on with . The binary classifier is trained on mixed clean data and adversarial dataset which is generated via FGSM with . Then we re-generate adversarial dataset via FGSM/TGSM with different values.

0.3 0.9996 1.0000
0.1 0.9996 1.0000
0.03 0.9996 0.9997
0.01 0.9996 0.0030
Table 2: sensitivity on CIFAR10

As shown in Table 2, can correctly filter out adversarial dataset generated with , but fails when adversarial data are generated with . Results on MNIST and SVHN are similar. This phenomenon was also observed in defensive retraining (Kurakin et al., 2016). To overcome this issue, they proposed to use mixed values to generate the adversarial datasets. However, Table 2 suggests that adversarial datasets generated with smaller are superset of those generated with larger . This hypothesis could be well explained by the linearity hypothesis (Kurakin et al., 2016; Warde-Farley & Goodfellow, 2016). The same conclusion also applies to adversarial training. In our experiment, the results of defensive retraining are similar to the binary classifier approach.

Disparity among Adversarial Samples

Figure 2: Adversarial training (Huang et al., 2015; Kurakin et al., 2016) does not work. This is a church window plot (Warde-Farley & Goodfellow, 2016). Each pixel (row index and column index pair) represents a data point in the input space and , where is the direction computed by FGSM and is a random direction orthogonal to . The ranges from and

is the interpolated value in between. The central black dot

represents the original data point , the orange dot (on the right of the center dot) represents the last adversarial sample created from via FGSM that is used in the adversarial training and the blue dot represents a random adversarial sample created from that cannot be recognized with adversarial training. The three digits below each image, from left to right, are the data samples that correspond to the black dot, orange dot and blue dot, respectively. ( ) represents the data samples that are always correctly (incorrectly) recognized by the model. represents the adversarial samples that can be correctly recognized without adversarial training only. And represents the data points that were correctly recognized with adversarial training only, i.e., the side effect of adversarial training.

In our experiment, we also discovered that the binary classifier is also sensitive to the algorithms used to generate the adversarial datasets.

Specifically, the binary classifier trained on FGSM adversarial dataset achieves good accuracy (over 99%) on FGSM adversarial dataset, but not on adversarial generated via JSMA, and vise versa. However, when binary classifier is trained on a mixed adversarial dataset from FGSM and JSMA, it performs well (with accuracy over 99%) on both datasets. This suggests that FGSM and JSMA generate adversarial datasets that are far away from each other. It is too vague without defining precisely what is being far away. In our opinion, they are far away in the same way that CIFAR10 is far away from SVHN. A well-trained model on CIFAR10 will perform poorly on SVHN, and vise versa. However, a well-trained model on the the mixed dataset of CIFAR10 and SVHN will perform just as well, if not better, on both datasets, as if it is trained solely on one dataset.

The adversarial datasets generated via FGSM and TGSM are, however, compatible with each other. In other words, the classifier trained on one adversarial datasets performs well on adversarials from the other algorithm. They are compatible in the same way that training set and test set are compatible. Usually we expect a model, when properly trained, should generalize well to the unseen data from the same distribution, e.g., the test dataset.

In effect, it is not just FGSM and JSMA are incompatible. We can generate adversarial data samples by a linear combination of the direction computed by FGSM and another random orthogonal direction, as illustrated in a church plot (Warde-Farley & Goodfellow, 2016) Figure 2. Figure 2 visually shows the effect of adversarial training (Kurakin et al., 2016). Each image represents adversarial samples generated from one data sample, which is represented as a black dot in the center of each image, the last adversarial sample used in adversarial training is represented as an orange dot (on the right of black dot, i.e., in the direction computed by FGSM). The green area represents the adversarial samples that cannot be correctly recognized without adversarial training but can be correctly recognized with adversarial training. The red area represents data samples that can be correctly recognized without adversarial training but cannot be correctly recognized with adversarial training. In other words, it represents the side effect of adversarial training, i.e., slightly reducing the model accuracy. The white (gray) area represents the data samples that are always correctly (incorrectly) recognized with or without adversarial training.

As we can see from Figure 2, adversarial training does make the model more robust against the adversarial sample (and adversarial samples around it to some extent) used for training (green area). However, it does not rule out all adversarials. There are still adversarial samples (gray area) that are not affected by the adversarial training. Further more, we could observe that the green area largely distributes along the horizontal direction, i.e., the FGSM direction. In (Nguyen et al., 2014), they observed similar results for fooling images. In their experiment, adversarial training with fooling images, deep neural network models are more robust against a limited set of fooling images. However they can still be fooled by other fooling images easily.

5 Conclusion

We show in this paper that the binary classifier is a simple yet effective and robust way to separating adversarial from the original clean images. Its advantage over defensive retraining and distillation is that it serves as a preprocessing step without assumptions about the model it protects. Besides, it can be readily deployed without any modification of the underlying systems. However, as we empirically showed in the experiment, the binary classifier approach, defensive retraining and distillation all suffer from the generalization limitation. For future work, we plan to extend our current work in two directions. First, we want to investigate the disparity between different adversarial crafting methods and its effect on the generated adversarial space. Second, we will also carefully examine the cause of adversarial samples since intuitively the linear hypothesis does not seem right to us.