Deflecting Adversarial Attacks

02/18/2020 ∙ by Yao Qin, et al. ∙ 5

There has been an ongoing cycle where stronger defenses against adversarial attacks are subsequently broken by a more advanced defense-aware attack. We present a new approach towards ending this cycle where we "deflect” adversarial attacks by causing the attacker to produce an input that semantically resembles the attack's target class. To this end, we first propose a stronger defense based on Capsule Networks that combines three detection mechanisms to achieve state-of-the-art detection performance on both standard and defense-aware attacks. We then show that undetected attacks against our defense often perceptually resemble the adversarial target class by performing a human study where participants are asked to label images produced by the attack. These attack images can no longer be called "adversarial” because our network classifies them the same way as humans do.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 2

page 4

page 8

page 12

page 13

Code Repositories

pwc

Papers with code. Sorted by stars. Updated weekly.


view repo

pwc

有代码的论文 Papers with code. Sorted by stars. Updated weekly.


view repo

adv_summaries

Short Summaries for papers in Adversarial Attacks and Defenses. Linked to a related blog post:


view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Adversarial attacks have been the subject of constant research since they were first discovered (Szegedy et al., 2013; Goodfellow et al., 2014; Kurakin et al., 2016). Most of this research has been focused on the creation of more robust models to defend against adversarial attacks (Song et al., 2017; Madry et al., 2017; Yang et al., 2019; Goodfellow et al., 2018), where the input image is correctly classified as the original class rather than the adversarial target class, as illustrated in Figure 1 (a). However, better defenses have led to the development of stronger attack algorithms to break these defenses (Madry et al., 2017; Carlini & Wagner, 2017b; Chen et al., 2018; Athalye et al., 2018). After several iterations of creating and breaking defenses, some research focused on adversarial attack detection (Grosse et al., 2017; Feinman et al., 2017; Metzen et al., 2017; Lee et al., 2018; Qin et al., 2020; Roth et al., 2019). Detection algorithms aim to distinguish adversarial attacks from real data and then flag the adversarial input, instead of attempting to correctly classify such inputs, as shown in Figure 1 (b). However, this strategy fell into the same creating/breaking cycle: Many state-of-the-art methods (Roth et al., 2019; Ma et al., 2018; Lee et al., 2018) claiming to detect adversarial attacks were broken shortly after publication with a defense-aware attack (Hosseini et al., 2019; Carlini & Wagner, 2017a; Athalye et al., 2018). We attempt to get ahead of this cycle by focusing on the deflection of adversarial attacks, shown in Figure 1 (c): If the result of the adversarial optimization of an image looks to a human like the adversarial target class rather than its original class, then the image can hardly be called adversarial anymore. We call such attacks “deflected”. Some examples are shown in Figure 2.

Figure 1: Different results of an adversarial attack against three different defense approaches. The original class is 0 and the adversarial target class is 8.

In this paper, we propose a network and detection mechanism based on Capsule layers (Sabour et al., 2017; Qin et al., 2020) that either detects attacks accurately or, for undetected attacks, often pressures the attacker to produce images that resemble the target class (thereby deflecting them). Our network architecture is made up of two components: A capsule classification network that classifies the input, and a reconstruction network that reconstructs the input conditioned on the pose parameters of the predicted capsule. Apart from the classification loss and reconstruction loss used in (Sabour et al., 2017; Qin et al., 2020), we introduce an extra cycle-consistency training loss which constrains the classification of the winning capsule reconstruction to be the same as the classification of the original input. This new auxiliary training loss encourages the reconstructions to more closely match the class-conditional distribution and helps the model detect and deflect adversarial attacks.

In addition, we propose two new attack-agnostic detection methods based on the discrepancy between the winning-capsule reconstruction of clean and adversarial inputs. We find that a detection method that combines ours with the one proposed by (Qin et al., 2020) performs best. We show that this method can accurately detect white-box and black-box attacks based on three different distortion metrics (EAD (Chen et al., 2018), CW (Carlini & Wagner, 2017b) and PGD (Madry et al., 2017)) on both the SVHN and CIFAR-10 datasets. Following the suggestions in (Athalye et al., 2018; Carlini & Wagner, 2017a), we also propose defense-aware attacks for our new detection method. We find that our detection methods significantly outperform state-of-the-art methods on defense-aware attacks. Finally, we perform a human study to verify that many of the undetected adversarial attacks against our model have been successfully deflected, i.e. adversarial images from both defense-aware and standard attacks against our detection mechanism are frequently classified as the target class by humans. In contrast, successful attacks against baseline models do not have this property.

Figure 2: Deflected adversarial attacks on the SVHN dataset. These images were generated by a defense aware attack and the maximal adversarial perturbation is bounded by 16/255.

To summarize, our main contributions are as follows:

  • We introduce the notion of deflecting adversarial attacks, which presents a step towards ending the battle between attacks and defenses.

  • We propose a new cycle-consistency loss which trains a CapsNet to encourage the winning-capsule reconstruction to closely match the class-conditional distribution and show that this can help detect and deflect adversarial attacks.

  • We introduce two attack-agnostic detection methods based on the discrepancy between the winning-capsule reconstruction of the clean and adversarial inputs, and design a defense-aware attack to specifically attack our detection mechanisms.

  • We show through extensive experiments on SVHN and CIFAR-10 that our detection mechanism can achieve state-of-the-art performance in detecting white-/black-box standard and defense-aware attacks.

  • We perform a human study to show that our approach, unlike previous methods, is able to deflect a large percentage of undetected adversarial attacks.

Figure 3: The network architecture with cycle-consistent winning capsule reconstructions.

2 Network Architecture

In order to design a model that is strong enough to deflect adversarial attacks, we build our network based on CapsNet (Sabour et al., 2017). Figure 3 shows the pipeline of our network architecture. The final layer of our classifier is a Capsule layer (“CapsLayer” for short) which includes both class capsules and background capsules. These capsules are intended to encode feature attributes corresponding to the class and the background respectively. Given an input , the output of a CapsLayer is a prediction and a pose parameter for all the classes and the background, where denotes the pose parameter for class . As in the initial Capsules proposed in (Sabour et al., 2017)

, the magnitude of the activation vector of a capsule encodes the existence of an instance of the class and the orientation of the activation vector encodes instantiation parameters of the instance, such as its pose. Therefore, the magnitudes of the capsules’ activations are used to perform classification while the activation vector of the winning class capsule together with the activation vectors of the background capsules are used as the input to the reconstruction network. We use

and to represent the reconstruction from the winning capsule and a losing capsule respectively. The reconstruction network uses the activations of all the background capsules as well as the activation of one class capsule but we omit this to simplify the notation. More details of the network architecture used in this paper are provided in Supplementary Material.

Cycle-consistent winning-capsule reconstructions

The CapsNet (Sabour et al., 2017) is trained with two loss terms: a marginal loss for the classification and an reconstruction loss. To encourage the reconstruction to more closely match the class conditional distribution and help the model detect and deflect adversarial attacks, we additionally incorporate an extra cycle-consistency loss which constrains the reconstruction from the winning capsule to be classified as the same class as the input, formulated as:

(1)

where

is the cross-entropy loss function and

, denotes the number of classes in the dataset. This can be achieved by feeding the reconstruction corresponding to the winning capsule back into the classification network, shown as the dotted red line in Figure 3. This extra training loss together with our Cycle-consistent Detector (introduced in Section 3) can help detect adversarial attacks. In addition, since the winning-capsule reconstructions are optimized to more closely match the class conditional data distribution, it becomes easier for our model to deflect adversarial attacks.

3 Detection Methods

In this paper, we use three reconstruction-based detection methods to detect standard attacks. They are: Global Threshold Detector (GTD), first proposed in (Qin et al., 2020), Local Best Detector (LBD) and Cycle-Consistency Detector (CCD).

Global Threshold Detector

When the input is adversarially perturbed, the classification given to the input may be incorrect, but the reconstruction is often blurry and therefore the distance between the adversarial input and the reconstruction is larger than would be expected from normal input. This allows us to detect the input as adversarial with the Global Threshold Detector. This method, proposed in (Qin et al., 2020), measures the reconstruction error between the input and its reconstruction from the winning capsule. If the reconstruction error is greater than a global threshold :

(2)

then the input is flagged as an adversarial example.

Local Best Detector

When the input is a clean image, the reconstruction error from the winning capsule is smaller than that of the losing capsules, where an example is shown in the first row of Figure 4. This is likely because the reconstruction objective only minimizes the reconstruction from the winning capsule during training. However, when the input is an adversarial example, the reconstruction from the capsule corresponding to the correct label can be even closer to the input compared to the reconstruction corresponding to the winning capsule (see the second row in Figure 4). Therefore, we propose the “Local Best Detector” (LBD) to detect such adversarial images whose reconstruction error from the winning capsule is not the smallest:

(3)

where is the number of classes in the dataset.

Figure 4: An example of a clean input, an adversarial example generated via a PGD attack, and the reconstructions for the clean and adversarial inputs from each class capsule. The reconstruction corresponding to the winning capsule is surrounded by a red box. Under each reconstruction is its reconstruction error; the smallest reconstruction error is highlighted in red. Both the clean input and its winning capsule reconstruction are classified as ‘4’. The PGD attack is classified as the target class ‘3’ but its winning capsule reconstruction is classified as ‘4’.
Cycle-Consistency Detector

If the input is a clean image, the reconstruction from the winning capsule will resemble the input. Our model should ideally assign the same class to the reconstruction of the winning capsule as the clean input. This behavior is reinforced by training with the cycle-consistency loss. For example, as shown in Figure 4 both the clean input and its winning-capsule reconstruction are classified as 4. However, when the input is an adversarial example that is perceptually indistinguishable from the clean image but pressures the model to predict the target class, the reconstruction of the winning capsule often appears closer to the clean input and/or is blurry. As a result, the reconstruction of the winning capsule is often not classified as the target class. As shown in Figure 4, the adversarial input has been classified as the target class “3” while the reconstruction corresponding to the winning capsule is classified as “4”. Therefore, the Cycle-Consistency Detector (CCD) is designed to flag the input as an adversarial example if the input and its reconstruction of the winning capsule are not classified as the same class:

(4)

In this paper, we use these three detectors together to detect adversarial examples. In other words, we flag any input as adversarial if it’s classified as adversarial by any of the detection mechanisms. As a result, an adversarial input can only go undetected if it passes all three detection mechanisms.

4 The Defense-Aware CC-PGD Attack

In order for an attack mechanism to generate an adversarial example (where is a small adversarial perturbation) that can both cause a misclassification and is not detected by our detection mechanisms, the constructed adversarial attack must:

  • successfully fool the classifier: and , where is the target class.

  • avoid being detected by the Global Threshold Detector (GTD), the attack needs to constrain the reconstruction of the winning capsule to be close to the input.

  • fool the Local Best Detector (LBD), the attack should encourage the reconstructions from all the losing capsules to be far away from the input to ensure the reconstruction error of the winning capsule is the smallest.

  • circumvent the Cycle-Consistency Detector (CCD) by fooling the classifier into making the target prediction when it is fed the winning-capsule reconstruction of the adversarial input, that is: .

To generate such an attack, we follow (Qin et al., 2020) and devise attacks which consist of two stages at each gradient step. The first stage attempts to fool the classifier by following a standard attack (e.g., a standard PGD attack) which follows the gradient of the cross-entropy loss function with respect to the input. Then, in the second stage, we focus on fooling the detection mechanisms by taking the reconstruction error and cycle-consistency into consideration. This can be formulated as minimizing the reconstruction loss , which consists of three components: the reconstruction loss corresponding to the Global Threshold Detector , the reconstruction loss corresponding to the Local Best Detector and the cycle-consistency classification loss corresponding to the Cycle-Consistency Detector . Specifically, the reconstruction loss is defined as:

(5)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and

is the losing-capsule reconstruction error. The hyperparameters

, and are used to balance the importance of attacking each detector. Then, the adversarial perturbation can be updated in the second stage as:

(6)

where is the norm bound and is the step size in each iteration.

Figure 5: (a) The success rate of white-box PGD and CC-PGD changes as the number of iterations increases for our deflecting model on CIFAR-10 dataset. (b) The success rate of white-box PGD and CC-PGD changes as increases for our deflecting model on CIFAR-10 dataset. (c) The Undetected Rate of the defense-aware attack CC-PGD optimized by a two-stage optimization and one-stage optimization vs. False Positive Rate for the clean data on the CIFAR-10 dataset. (d) Ablation study for cycle-consistency loss. The Undetected Rate of the defense-aware attack vs. False Positive Rate for baseline Capsule model trained without cycle-consistency loss and our deflecting model on the CIFAR-10 dataset. GTD and LBD are used to detect adversarial examples in baseline Capsule model. GTD, LBD and CCD are all used to detect adversarial attacks for our deflecting model.

5 Experiments

Now that we have proposed our new defense model, we first verify its detection performance on the SVHN and CIFAR-10 datasets on a variety of attacks. Then, we use a human study to demonstrate that our model frequently pressures the undetected attacks to be deflected.

5.1 Evaluation Metrics and Datasets

In this paper, we use Accuracy to represent the proportion of clean examples that are correctly classified by our network. We use Success Rate to measure the performance of an attack, which is defined as the proportion of adversarial examples that successfully fool the classifier into making the targeted prediction. In order to evaluate the performance of different detection mechanisms, we report both False Positive Rate (FPR) and Undetected Rate. The False Positive Rate is the proportion of clean examples that are flagged as an adversarial example by the detection mechanism. The Undetected Rate, first proposed in (Qin et al., 2020), denotes the proportion of adversarial examples that successfully fool the classifier and also go undetected. Finally, we perform a human study in Section 6 in order to show that our model is able to effectively deflect adversarial attacks.

5.2 Training Details and Test Accuracy

We set the batch size to be 64 and the learning rate to 0.0001 to train the network on SVHN. For CIFAR-10, the batch size is set to be 128 and the learning rate is 0.0002. We use the Adam optimizer (Kingma & Ba, 2014) to train all models. The cycle-consistency loss is empirically multiplied with 0.0005 before being added to the margin loss and the reconstruction loss used as in the original CapsNets (Sabour et al., 2017).

We test our deflecting models on the SVHN (Netzer et al., 2011) and CIFAR-10 datasets (Krizhevsky, 2009). The classification accuracy on the clean test set is on SVHN and on CIFAR-10, which show that our deflecting models are reasonably good at classifying clean images.

5.3 Threat Model

In this paper, we consider two commonly used threat models: white-box and black-box. For white-box attacks, the adversary has full knowledge of the network architecture and parameters and is allowed to construct the adversarial attack by computing the gradient of model’s output with respect to its input. In the black-box setting, the adversary is aware of the network architecture of the target model but does not have direct access to the model’s parameters. To generate the black-box attacks against the target model, a substitute model that has the same network architecture is trained and further attacked by the white-box attacks, which are transferred to the target model as the black-box attacks.

5.4 Adversarial Attacks

Following the suggestions in (Carlini et al., 2019), we test our attack-agnostic detection mechanisms on three standard targeted attacks based on different distance metrics: norm-based EAD (Chen et al., 2018), norm-based CW (Carlini & Wagner, 2017b), and norm-based PGD (Madry et al., 2017). In addition, we follow the suggestions in (Carlini & Wagner, 2017a) to report the performance of our detection mechanisms against defense-aware attacks. We use CC-PGD (described in Section 4) as our defense-aware attack. For the norm-based attacks, we set the maximal perturbation to be 16/255 on SVHN and 8/255 on CIFAR-10 as is typically used (Buckman et al., 2018; Madry et al., 2017).

To generate EAD and CW attacks, we follow the previous work (Chen et al., 2018; Carlini & Wagner, 2017b) to set the binary search steps to be 9, maximum iterations to be 1000 and learning rate to be 0.01. To construct norm-based attacks (PGD and our defense-aware CC-PGD), we use a step size 0.01 (2.55/255) in each iteration as (Madry et al., 2017).

5.5 Sanity checks for PGD and CC-PGD attack

In this section, we perform basic sanity checks to ensure the adversarial attacks are correctly implemented and our proposed defense-aware CC-PGD is tuned well. In this section, we test attacks against our proposed deflecting model on the CIFAR-10 dataset. Similar conclusions also hold true on the SVHN dataset.

Convergence of attacks.

Figure 5 (a) shows the success rate of white-box PGD and CC-PGD varies as the number of iterations increases on the CIFAR-10 dataset. We can see that the attacker has almost plateaued after 200 iterations. Therefore, we set the total number of attack steps to be 200 in generating PGD and CC-PGD attack for efficiency.

100 success rate with non-constraint norm.

In Figure 5 (b), we show that the success rate of white-box PGD and CC-PGD varies as the bound of the adversarial perturbation increases. We can see that when is greater than 50/255, the success rate is 100. However, when is set to be 8/255 (which is typically used (Buckman et al., 2018; Madry et al., 2017)), the attack success rate against our deflecting model is below 50.

Two-stage optimization

To demonstrate the effectiveness of our used two-stage optimization in generating defense-aware CC-PGD, we compare the attack performance of two-stage optimization introduced in Section 4 and a one-stage optimization that uses a single loss function which combines the cross-entropy loss to fool the classifier with the reconstruction loss in Eqn. 7 to fool the detectors. In Figure 5 (c), we construct the defense-aware CC-PGD against our deflecting model on the CIFAR-10 dataset using one-stage and two-stage optimization respectively. We can see that the defense-aware CC-PGD attack that is optimized by the two-stage optimization is slightly better than that optimized by the one-stage optimization. Therefore, we follow (Qin et al., 2020) to use the two-stage optimization in all the following experiments to construct CC-PGD attack.

Hyperparameters

Empirically, the hyperparameter , and in Eqn. 7 are set to be 1, 0 and 20 respectively to balance the importance among three detectors in generating our defense-aware CC-PGD. Since the Cycle-Consistency Detector is the most effective detector (discussed below in Section 5.6.1), we assign a much higher weight to , which controls the importance of attacking Cycle-Consistency Detection in generating our defense-aware CC-PGD attack. In addition, we observe that increasing (controlling the importance of attacking the Local Best Detector) leads to a decrease of the attack performance). Therefore, is set to be 0. This might result from the contradiction between minimizing the winning-capsule reconstruction and maximizing the losing-capsule reconstruction, where they share the background capsule information. Lastly, is set to be a very small value as 1 for the best attack performance for CC-PGD.

The parameter that balances the importance of the two stages in CC-PGD is empirically set to be 0.5 on SVHN and 0.75 for the first stage and 0.25 for the second stage on CIFAR-10. More detailed results about selecting these hyperparameters are shown in Supplementary Material.

Figure 6: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

5.6 Ablation Study

5.6.1 Detection methods

In this section, we study the effectiveness of our proposed detection mechanisms: Local Best Detector (LBD) and Cycle-Consistency Detector (CCD) and compare them with Global Threshold Detector (GTD) from  (Qin et al., 2020).

Since the False Positive Rate (FPR) of clean input flagged by the Global Threshold Detector (GTD) varies as the chosen global threshold, in Figure 10 we plot the undetected rate of white-box adversarial attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The global threshold is chosen from the range [0, 20] with a step size of 0.4. We can clearly see that: 1) A single Global Threshold Detector (GTD) proposed in (Qin et al., 2020) is not enough to effectively detect adversarial attacks. 2) In a standard PGD attack, the CCD is the most effective detector at a low False Positive Rate, similar conclusions on EAD and CW attacks shown in Supplementary Material. 3) In all the attacks, the combination of all three detectors always performs the best. Therefore, we only report the performance of the undetected rate of the combination of all three detectors in the following experiments.


Figure 7: The Undetected Rate for white-box and black-box attacks versus False Positive Rate (FPR) for clean input on the SVHN and CIFAR-10 datasets. The strongest attack has the largest area under the line.

to 0.98c—X[c]X[c]—X[c]X[c]—X[c]X[c]—X[c]X[c] Dataset & EAD   & CW   & PGD   & CC-PGD
& White & Black & White & Black & White & Black & White & Black
SVHN & 100.0% & 10.1% & 97.6% & 1.7% & 96.0% & 28.7% & 69.0% & 37.0%
CIFAR-10 & 100.0% & 6.9% & 78.0% & 1.6% & 49.3% & 15.5% & 46.8% & 12.9%

5.6.2 Cycle-consistency loss

To demonstrate the effectiveness of the proposed cycle-consistency loss, we construct a baseline Capsule model that has the same network architecture as our deflecting model but is trained without the extra cycle-consistency loss. The False Positive Rate of the Cycle-Consistency Detector on the CIFAR-10 test set is 33.46, which represents that 33.46 of the clean test images are incorrectly flagged as an adversarial example by the Cycle-Consistency Detector. This means the Cycle-Consistency Detector is not suitable for a model that is trained without cycle-consistency loss. Therefore, to compare the detection performance between the baseline Capsule model and our deflecting model, we use a combined Global Threshold Detector (GTD) and Local Best Detector (LBD) for the baseline Capsule model and all three detectors for the deflecting model. The undetected rate of the white-box defense-aware attack versus the False Positive Rate (FPR) of the clean input on the CIFAR-10 dataset is shown in Figure 5 (d), where we can see that our deflecting model together with all three detectors has a better detection performance compared to the baseline model trained without the cycle-consistency loss.

5.7 Detection of White-box Attacks

Before showing that our defense produces deflected attacks, we must first validate that it improves detection performance. Therefore, we test our model on standard and defense-aware attacks and compare it with state-of-the-art detection methods in this section.

Standard attacks

As shown in Figure 7, our detection method has a very small undetected rate for all three standard white-box attacks (EAD, CW and PGD) on both the SVHN and CIFAR-10 dataset. Among them, PGD is the strongest attack against our detection mechanisms with the highest undetected rates at the same FPR. For PGD attacks, we achieve an undetected rate below 10 with a small False Positive Rate on the SVHN dataset. The undetected rate for white-box PGD is around with the smallest False Positive Rate on the CIFAR-10 dataset. These demonstrate that our detection mechanism is very effective in detecting standard white-box attacks that are based on different norms.

Defense-aware attacks

Following the suggestions in (Carlini & Wagner, 2017a), we test our detection mechanism in the setting where the adversary is fully aware of the defense (“defense-aware attacks”) using the CC-PGD attack. Since the PGD attack is stronger than EAD and CW in attacking our deflecting model (shown in Figure 7), the first stage of our CC-PGD attack is to construct an adversarial image via standard PGD and then, in the second stage, take the reconstruction error and cycle-consistency into consideration in order to fool the detection methods. In Figure 7 we can clearly see the undetected rate of CC-PGD increases compared to a standard PGD attack. However, there is a significant performance drop in the success rate of White-box CC-PGD (from PGD: 96.0 to CC-PGD: 69.0 on SVHN) as shown in Table 5.6.1. This indicates that the adversary needs to sacrifice some success rate in order not to be detected by our detection mechanism.

Comparison with State-of-the-Art Detection Methods

c—c—c—c Detection Method & Statistical & Classifier- & Ours
& Test & based &
CW & 0.1% & 0.0% & 4.6%

Defense-aware PGD& 97.8% & 98.4% & 28.9%

Table 2: Comparison of the Undetected Rate of the state-of-the-art detection methods on the CIFAR-10 dataset. For all the models, the maximum perturbation is of the pixel dynamic range and the False Positive Rate of the clean input are 5. The best detection performance are highlighted in bold. (Smaller numbers indicate better detection performance.)

We compare our detection methods with the most recent statistical test-based detection method (Roth et al., 2019) and a classifier-based detection method proposed in (Hosseini et al., 2019). In Table 2, we can see that although the statistical test (Roth et al., 2019) and the classifier-based detection method (Hosseini et al., 2019) can detect standard attacks successfully, they both fully fail against defense-aware attacks 111The numbers of statistical test and classifier-base detection in the Table 2 are extracted from (Hosseini et al., 2019). Since the success rate of the attacks are close to 100, the undetected rate is roughly (1 - True Positive Rate).. In contrast, our proposed reconstruction-based detection mechanism has the best undetected rate in detecting defense-aware adversarial attacks and a very small undetected rate of in detecting CW attacks.

Figure 8: The human study results on SVHN. The maximal perturbation is 16/255.
Figure 9: Deflected adversarial attacks on SVHN and CIFAR-10. The maximal perturbation is 16/255 for SVHN and 25/255 for CIFAR-10.

5.8 Detection of black-box Attacks

To study the effectiveness of our detection mechanisms, we also test our models on black-box attacks. In Figure 7 we can see that the undetected rate when the inputs are black-box CC-PGD attacks is only half of that for white-box CC-PGD on both datasets. The highest undetected rate of a black-box attack is around on the CIFAR-10 dataset, which demonstrates that our detection mechanism can successfully detect black-box defense-aware attacks. In addition, the great gap of the success rate between white-box and black-box attacks shown in Table 5.6.1 indicates our defense model significantly reduces the transferability of all kinds of adversarial attacks.

6 Deflected Attacks

The numbers that we presented earlier in this paper have implicitly assumed all adversarial attacks still resemble the initial class, and therefore classifying them as the target class would constitute a mistake. This assumption may not be true in practice. We have discussed the ability of our model to deflect adversarial attacks by having adversarial gradients aligned with the class conditional data distribution, thereby making adversarial attacks resemble the target class. To quantify these claims we need to evaluate human performance on the adversarial attacks against our model.

6.1 Human Study on SVHN

To validate our claim that our method can deflect adversarial attacks, we performed a human study by using the Amazon Mechanical Turk web service to recruit participants and asked people to label SVHN digits. Each time, they were shown a single image which was randomly sampled from the following five different sets: 1) clean images from the SVHN test set, 2) and 3) the undetected and successful black-box and white-box PGD and CC-PGD adversarial attacks against our deflecting model, 4) and 5) the successful black-box and whilte-box PGD attacks generated to attack a standard CNN classifier222The CNN classifier has the same network architecture as the classification network in our deflecting model except that we replace the CapsLayer with a convolutional layer.. The maximal adversarial perturbation of all the norm-based attacks are bounded by the same . The recruiters were asked to classify each image as a digit between 0 and 9. If multiple digits occurred in one image, we asked people to label the digit closest to the center of the image. We did not limit the labelling time did not explain the purpose of this study to the users other than it was a research study. In this way, we had 1500 images labeled in total and each image was labeled by five different users. We then calculated the percentage of uniformly labeled images that were classified as either the original class or the adversarial target class. The results are summarized in Figure 9.

We can see that 69.7% of successful and undetected black-box attacks against our model were classified as the adversarial target. This means that when our defense is attacked with adversarial attacks generated within a standard bound, not only are the results visibly different than the source image, they resemble the target class. In this way, these attacks are successfully deflected and can hardly be said to be adversarial, as the network is classifying them the same way our human testers classified them. This is not the case for the baseline CNN model, where only 14.3% of the successful black-box PGD attacks were labeled as the target class. In addition, compared to the white-box attacks, more undetected and successful adversarial attacks generated under the black-box setting are deflected to resemble the target class. This suggests that to attack our deflecting model in a more practical setting (black-box), the attack ends up being deflected in order not to be detected, as shown in Figure 9.

6.2 Deflected Attacks on CIFAR-10

To show that our model can effectively deflect adversarial attacks on the CIFAR-10 dataset, we have chosen a deflected adversarial attack for each class with a maximal norm as 25/255, displayed in Figure 9. It is apparent that the clean input has been perturbed to have the representative features of the target class, in order to fool both the classifier and our detection mechanisms. As a result, these adversarial attacks are also successfully deflected by our model. Unlike SVHN, for which human evaluators reliably classified the attacks as the target label, the generated adversarial attacks against our deflecting model on the CIFAR-10 do not reliably resemble the target class, though they are much harder to identify than the clean data.

7 Conclusion

In this paper, we introduce a new approach that presents a step towards ending the battle between defenses and attacks by deflecting adversarial attacks. To this end, we propose a new cycle-consistency loss to encourage the winning-capsule reconstruction of the CapsNet to closely match the class-conditional distribution. With three detection mechanisms, we are able to detect standard adversarial attacks based on three different distance metrics with a low False Positive Rate on SVHN and CIFAR-10. To specifically attack our detection mechanisms, we propose a defense-aware attack and find that our model achieves drastically lower undetected rates for defense aware attacks compared to state-of-the-art methods. In addition, a large percentage of the undetected attacks are deflected by our model to resemble the adversarial target class, stop being adversarial any more. This is verified by a human study showing that 70% of the undetected black-box adversarial attacks are classified unanimously by humans as the target class on SVHN.

References

  • Athalye et al. (2018) Athalye, A., Carlini, N., and Wagner, D. A. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, 2018.
  • Buckman et al. (2018) Buckman, J., Roy, A., Raffel, C., and Goodfellow, I. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations, 2018.
  • Carlini & Wagner (2017a) Carlini, N. and Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. In

    Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security

    , pp. 3–14. ACM, 2017a.
  • Carlini & Wagner (2017b) Carlini, N. and Wagner, D.

    Towards evaluating the robustness of neural networks.

    In 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE, 2017b.
  • Carlini et al. (2019) Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., and Madry, A. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019.
  • Chen et al. (2018) Chen, P.-Y., Sharma, Y., Zhang, H., Yi, J., and Hsieh, C.-J. Ead: elastic-net attacks to deep neural networks via adversarial examples. In Thirty-second AAAI conference on artificial intelligence, 2018.
  • Feinman et al. (2017) Feinman, R., Curtin, R. R., Shintre, S., and Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.
  • Goodfellow et al. (2014) Goodfellow, I., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2014.
  • Goodfellow et al. (2018) Goodfellow, I., Qin, Y., and Berthelot, D. Evaluation methodology for attacks against confidence thresholding models. 2018.
  • Grosse et al. (2017) Grosse, K., Manoharan, P., Papernot, N., Backes, M., and McDaniel, P. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280, 2017.
  • Hosseini et al. (2019) Hosseini, H., Kannan, S., and Poovendran, R. Are odds really odd? bypassing statistical detection of adversarial examples. arXiv preprint arXiv:1907.12138, 2019.
  • Kingma & Ba (2014) Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. In International Conference on Learning Representations, 2014.
  • Krizhevsky (2009) Krizhevsky, A. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
  • Kurakin et al. (2016) Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial examples in the physical world. In International Conference on Learning Representations, 2016.
  • Lee et al. (2018) Lee, K., Lee, K., Lee, H., and Shin, J. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In Advances in Neural Information Processing Systems, pp. 7167–7177, 2018.
  • Ma et al. (2018) Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., Song, D., Houle, M. E., and Bailey, J. Characterizing adversarial subspaces using local intrinsic dimensionality. In International Conference on Learning Representations, 2018.
  • Madry et al. (2017) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A.

    Towards deep learning models resistant to adversarial attacks.

    In International Conference on Learning Representations, 2017.
  • Metzen et al. (2017) Metzen, J. H., Genewein, T., Fischer, V., and Bischoff, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
  • Netzer et al. (2011) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., and Ng, A. Y. Reading digits in natural images with unsupervised feature learning. In NIPS workshop on deep learning and unsupervised feature learning, volume 2011, pp.  5, 2011.
  • Qin et al. (2020) Qin, Y., Frosst, N., Sabour, S., Raffel, C., Cottrell, G., and Hinton, G. Detecting and diagnosing adversarial images with class-conditional capsule reconstructions. In International Conference on Learning Representations, 2020.
  • Roth et al. (2019) Roth, K., Kilcher, Y., and Hofmann, T.

    The odds are odd: A statistical test for detecting adversarial examples.

    In International Conference on Machine Learning, 2019.
  • Sabour et al. (2017) Sabour, S., Frosst, N., and Hinton, G. E. Dynamic routing between capsules. In Advances in Neural Information Processing Systems, pp. 3856–3866, 2017.
  • Song et al. (2017) Song, Y., Kim, T., Nowozin, S., Ermon, S., and Kushman, N. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In International Conference on Learning Representations, 2017.
  • Szegedy et al. (2013) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In International Conference on Learning Representations, 2013.
  • Yang et al. (2019) Yang, Y., Zhang, G., Katabi, D., and Xu, Z.

    Me-net: Towards effective adversarial robustness with matrix estimation.

    In International Conference on Machine Learning, 2019.

Appendix

Layer Name Configurations
Classification
Network
Conv

filter size: 3x3, number of filters: 64x4, stride size: 1x1,

activation: leaky relu

Conv
filter size: 3x3, number of filters: 64x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 4,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 100, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 3: The network architecture for the SVHN dataset.
Layer Name Configurations
Classification
Network
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 8,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 200, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 4: The network architecture for the CIFAR-10 dataset.

Appendix A Model Architectures

The details of the network architecture for SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky, 2009) datasets are shown in Table 3 and Table 4.

Appendix B Ablation Study for Detection Methods

In Figure 10, we show the undetected rate of white-box EAD (Chen et al., 2018) and CW (Carlini & Wagner, 2017b) attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The combination of three detectors always works the best in detecting adversarial examples.

Figure 10: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

Appendix C Hyperparameters

As introduced in Section 4 in the main paper, we construct the defense-aware CC-PGD attack via minimizing the reconstruction loss, which is defined as:

(7)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and is the losing-capsule reconstruction error. The hyperparameters , and are used to balance the importance of attacking each detector. We set and then show the attack performance when we change (see Figure 11 (a)) and (see Figure 11 (b)).

We can see that when we set , the attack performance is the best (higher undetected rate at a low False Positive Rate). In addition, the attack performance of our CC-PGD is not sensitive to the hyperparameter . Therefore, we simply set , which is slightly better at a low False Positive Rate.

Figure 11: The undetected rate of our white-box defense-aware CC-PGD attack versus False Positive Rate (FPR) for clean input on the CIFAR-10 dataset when we change the hyperparameter in (a) and hyperparameter in (b). These hyperparameters control the importance of attacking each detector in Eqn. 7.

Appendix D Examples of Adversarial Attacks and Reconstructions

We display successful adversarial attacks but detected by our detection mechanism, and display all the reconstructions when the input are EAD attacks (on the left) and CW attacks (on the right) in Figure 12, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 13 for the SVHN dataset. We also show the successful and detected adversarial EAD attacks (on the left) and CW attacks (on the right) in Figure 14, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 15 for CIFAR-10 dataset.

Figure 12: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 13: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 16/255.
Figure 14: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 15: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 8/255.
Table 1: Success rate of the white-box and black-box attacks for our deflecting model.

6 Deflected Attacks

The numbers that we presented earlier in this paper have implicitly assumed all adversarial attacks still resemble the initial class, and therefore classifying them as the target class would constitute a mistake. This assumption may not be true in practice. We have discussed the ability of our model to deflect adversarial attacks by having adversarial gradients aligned with the class conditional data distribution, thereby making adversarial attacks resemble the target class. To quantify these claims we need to evaluate human performance on the adversarial attacks against our model.

6.1 Human Study on SVHN

To validate our claim that our method can deflect adversarial attacks, we performed a human study by using the Amazon Mechanical Turk web service to recruit participants and asked people to label SVHN digits. Each time, they were shown a single image which was randomly sampled from the following five different sets: 1) clean images from the SVHN test set, 2) and 3) the undetected and successful black-box and white-box PGD and CC-PGD adversarial attacks against our deflecting model, 4) and 5) the successful black-box and whilte-box PGD attacks generated to attack a standard CNN classifier222The CNN classifier has the same network architecture as the classification network in our deflecting model except that we replace the CapsLayer with a convolutional layer.. The maximal adversarial perturbation of all the norm-based attacks are bounded by the same . The recruiters were asked to classify each image as a digit between 0 and 9. If multiple digits occurred in one image, we asked people to label the digit closest to the center of the image. We did not limit the labelling time did not explain the purpose of this study to the users other than it was a research study. In this way, we had 1500 images labeled in total and each image was labeled by five different users. We then calculated the percentage of uniformly labeled images that were classified as either the original class or the adversarial target class. The results are summarized in Figure 9.

We can see that 69.7% of successful and undetected black-box attacks against our model were classified as the adversarial target. This means that when our defense is attacked with adversarial attacks generated within a standard bound, not only are the results visibly different than the source image, they resemble the target class. In this way, these attacks are successfully deflected and can hardly be said to be adversarial, as the network is classifying them the same way our human testers classified them. This is not the case for the baseline CNN model, where only 14.3% of the successful black-box PGD attacks were labeled as the target class. In addition, compared to the white-box attacks, more undetected and successful adversarial attacks generated under the black-box setting are deflected to resemble the target class. This suggests that to attack our deflecting model in a more practical setting (black-box), the attack ends up being deflected in order not to be detected, as shown in Figure 9.

6.2 Deflected Attacks on CIFAR-10

To show that our model can effectively deflect adversarial attacks on the CIFAR-10 dataset, we have chosen a deflected adversarial attack for each class with a maximal norm as 25/255, displayed in Figure 9. It is apparent that the clean input has been perturbed to have the representative features of the target class, in order to fool both the classifier and our detection mechanisms. As a result, these adversarial attacks are also successfully deflected by our model. Unlike SVHN, for which human evaluators reliably classified the attacks as the target label, the generated adversarial attacks against our deflecting model on the CIFAR-10 do not reliably resemble the target class, though they are much harder to identify than the clean data.

7 Conclusion

In this paper, we introduce a new approach that presents a step towards ending the battle between defenses and attacks by deflecting adversarial attacks. To this end, we propose a new cycle-consistency loss to encourage the winning-capsule reconstruction of the CapsNet to closely match the class-conditional distribution. With three detection mechanisms, we are able to detect standard adversarial attacks based on three different distance metrics with a low False Positive Rate on SVHN and CIFAR-10. To specifically attack our detection mechanisms, we propose a defense-aware attack and find that our model achieves drastically lower undetected rates for defense aware attacks compared to state-of-the-art methods. In addition, a large percentage of the undetected attacks are deflected by our model to resemble the adversarial target class, stop being adversarial any more. This is verified by a human study showing that 70% of the undetected black-box adversarial attacks are classified unanimously by humans as the target class on SVHN.

References

  • Athalye et al. (2018) Athalye, A., Carlini, N., and Wagner, D. A. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, 2018.
  • Buckman et al. (2018) Buckman, J., Roy, A., Raffel, C., and Goodfellow, I. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations, 2018.
  • Carlini & Wagner (2017a) Carlini, N. and Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. In

    Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security

    , pp. 3–14. ACM, 2017a.
  • Carlini & Wagner (2017b) Carlini, N. and Wagner, D.

    Towards evaluating the robustness of neural networks.

    In 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE, 2017b.
  • Carlini et al. (2019) Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., and Madry, A. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019.
  • Chen et al. (2018) Chen, P.-Y., Sharma, Y., Zhang, H., Yi, J., and Hsieh, C.-J. Ead: elastic-net attacks to deep neural networks via adversarial examples. In Thirty-second AAAI conference on artificial intelligence, 2018.
  • Feinman et al. (2017) Feinman, R., Curtin, R. R., Shintre, S., and Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.
  • Goodfellow et al. (2014) Goodfellow, I., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2014.
  • Goodfellow et al. (2018) Goodfellow, I., Qin, Y., and Berthelot, D. Evaluation methodology for attacks against confidence thresholding models. 2018.
  • Grosse et al. (2017) Grosse, K., Manoharan, P., Papernot, N., Backes, M., and McDaniel, P. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280, 2017.
  • Hosseini et al. (2019) Hosseini, H., Kannan, S., and Poovendran, R. Are odds really odd? bypassing statistical detection of adversarial examples. arXiv preprint arXiv:1907.12138, 2019.
  • Kingma & Ba (2014) Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. In International Conference on Learning Representations, 2014.
  • Krizhevsky (2009) Krizhevsky, A. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
  • Kurakin et al. (2016) Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial examples in the physical world. In International Conference on Learning Representations, 2016.
  • Lee et al. (2018) Lee, K., Lee, K., Lee, H., and Shin, J. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In Advances in Neural Information Processing Systems, pp. 7167–7177, 2018.
  • Ma et al. (2018) Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., Song, D., Houle, M. E., and Bailey, J. Characterizing adversarial subspaces using local intrinsic dimensionality. In International Conference on Learning Representations, 2018.
  • Madry et al. (2017) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A.

    Towards deep learning models resistant to adversarial attacks.

    In International Conference on Learning Representations, 2017.
  • Metzen et al. (2017) Metzen, J. H., Genewein, T., Fischer, V., and Bischoff, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
  • Netzer et al. (2011) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., and Ng, A. Y. Reading digits in natural images with unsupervised feature learning. In NIPS workshop on deep learning and unsupervised feature learning, volume 2011, pp.  5, 2011.
  • Qin et al. (2020) Qin, Y., Frosst, N., Sabour, S., Raffel, C., Cottrell, G., and Hinton, G. Detecting and diagnosing adversarial images with class-conditional capsule reconstructions. In International Conference on Learning Representations, 2020.
  • Roth et al. (2019) Roth, K., Kilcher, Y., and Hofmann, T.

    The odds are odd: A statistical test for detecting adversarial examples.

    In International Conference on Machine Learning, 2019.
  • Sabour et al. (2017) Sabour, S., Frosst, N., and Hinton, G. E. Dynamic routing between capsules. In Advances in Neural Information Processing Systems, pp. 3856–3866, 2017.
  • Song et al. (2017) Song, Y., Kim, T., Nowozin, S., Ermon, S., and Kushman, N. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In International Conference on Learning Representations, 2017.
  • Szegedy et al. (2013) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In International Conference on Learning Representations, 2013.
  • Yang et al. (2019) Yang, Y., Zhang, G., Katabi, D., and Xu, Z.

    Me-net: Towards effective adversarial robustness with matrix estimation.

    In International Conference on Machine Learning, 2019.

Appendix

Layer Name Configurations
Classification
Network
Conv

filter size: 3x3, number of filters: 64x4, stride size: 1x1,

activation: leaky relu

Conv
filter size: 3x3, number of filters: 64x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 4,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 100, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 3: The network architecture for the SVHN dataset.
Layer Name Configurations
Classification
Network
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 8,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 200, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 4: The network architecture for the CIFAR-10 dataset.

Appendix A Model Architectures

The details of the network architecture for SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky, 2009) datasets are shown in Table 3 and Table 4.

Appendix B Ablation Study for Detection Methods

In Figure 10, we show the undetected rate of white-box EAD (Chen et al., 2018) and CW (Carlini & Wagner, 2017b) attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The combination of three detectors always works the best in detecting adversarial examples.

Figure 10: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

Appendix C Hyperparameters

As introduced in Section 4 in the main paper, we construct the defense-aware CC-PGD attack via minimizing the reconstruction loss, which is defined as:

(7)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and is the losing-capsule reconstruction error. The hyperparameters , and are used to balance the importance of attacking each detector. We set and then show the attack performance when we change (see Figure 11 (a)) and (see Figure 11 (b)).

We can see that when we set , the attack performance is the best (higher undetected rate at a low False Positive Rate). In addition, the attack performance of our CC-PGD is not sensitive to the hyperparameter . Therefore, we simply set , which is slightly better at a low False Positive Rate.

Figure 11: The undetected rate of our white-box defense-aware CC-PGD attack versus False Positive Rate (FPR) for clean input on the CIFAR-10 dataset when we change the hyperparameter in (a) and hyperparameter in (b). These hyperparameters control the importance of attacking each detector in Eqn. 7.

Appendix D Examples of Adversarial Attacks and Reconstructions

We display successful adversarial attacks but detected by our detection mechanism, and display all the reconstructions when the input are EAD attacks (on the left) and CW attacks (on the right) in Figure 12, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 13 for the SVHN dataset. We also show the successful and detected adversarial EAD attacks (on the left) and CW attacks (on the right) in Figure 14, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 15 for CIFAR-10 dataset.

Figure 12: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 13: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 16/255.
Figure 14: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 15: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 8/255.

7 Conclusion

In this paper, we introduce a new approach that presents a step towards ending the battle between defenses and attacks by deflecting adversarial attacks. To this end, we propose a new cycle-consistency loss to encourage the winning-capsule reconstruction of the CapsNet to closely match the class-conditional distribution. With three detection mechanisms, we are able to detect standard adversarial attacks based on three different distance metrics with a low False Positive Rate on SVHN and CIFAR-10. To specifically attack our detection mechanisms, we propose a defense-aware attack and find that our model achieves drastically lower undetected rates for defense aware attacks compared to state-of-the-art methods. In addition, a large percentage of the undetected attacks are deflected by our model to resemble the adversarial target class, stop being adversarial any more. This is verified by a human study showing that 70% of the undetected black-box adversarial attacks are classified unanimously by humans as the target class on SVHN.

References

  • Athalye et al. (2018) Athalye, A., Carlini, N., and Wagner, D. A. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, 2018.
  • Buckman et al. (2018) Buckman, J., Roy, A., Raffel, C., and Goodfellow, I. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations, 2018.
  • Carlini & Wagner (2017a) Carlini, N. and Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. In

    Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security

    , pp. 3–14. ACM, 2017a.
  • Carlini & Wagner (2017b) Carlini, N. and Wagner, D.

    Towards evaluating the robustness of neural networks.

    In 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE, 2017b.
  • Carlini et al. (2019) Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., and Madry, A. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019.
  • Chen et al. (2018) Chen, P.-Y., Sharma, Y., Zhang, H., Yi, J., and Hsieh, C.-J. Ead: elastic-net attacks to deep neural networks via adversarial examples. In Thirty-second AAAI conference on artificial intelligence, 2018.
  • Feinman et al. (2017) Feinman, R., Curtin, R. R., Shintre, S., and Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.
  • Goodfellow et al. (2014) Goodfellow, I., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2014.
  • Goodfellow et al. (2018) Goodfellow, I., Qin, Y., and Berthelot, D. Evaluation methodology for attacks against confidence thresholding models. 2018.
  • Grosse et al. (2017) Grosse, K., Manoharan, P., Papernot, N., Backes, M., and McDaniel, P. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280, 2017.
  • Hosseini et al. (2019) Hosseini, H., Kannan, S., and Poovendran, R. Are odds really odd? bypassing statistical detection of adversarial examples. arXiv preprint arXiv:1907.12138, 2019.
  • Kingma & Ba (2014) Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. In International Conference on Learning Representations, 2014.
  • Krizhevsky (2009) Krizhevsky, A. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
  • Kurakin et al. (2016) Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial examples in the physical world. In International Conference on Learning Representations, 2016.
  • Lee et al. (2018) Lee, K., Lee, K., Lee, H., and Shin, J. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In Advances in Neural Information Processing Systems, pp. 7167–7177, 2018.
  • Ma et al. (2018) Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., Song, D., Houle, M. E., and Bailey, J. Characterizing adversarial subspaces using local intrinsic dimensionality. In International Conference on Learning Representations, 2018.
  • Madry et al. (2017) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A.

    Towards deep learning models resistant to adversarial attacks.

    In International Conference on Learning Representations, 2017.
  • Metzen et al. (2017) Metzen, J. H., Genewein, T., Fischer, V., and Bischoff, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
  • Netzer et al. (2011) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., and Ng, A. Y. Reading digits in natural images with unsupervised feature learning. In NIPS workshop on deep learning and unsupervised feature learning, volume 2011, pp.  5, 2011.
  • Qin et al. (2020) Qin, Y., Frosst, N., Sabour, S., Raffel, C., Cottrell, G., and Hinton, G. Detecting and diagnosing adversarial images with class-conditional capsule reconstructions. In International Conference on Learning Representations, 2020.
  • Roth et al. (2019) Roth, K., Kilcher, Y., and Hofmann, T.

    The odds are odd: A statistical test for detecting adversarial examples.

    In International Conference on Machine Learning, 2019.
  • Sabour et al. (2017) Sabour, S., Frosst, N., and Hinton, G. E. Dynamic routing between capsules. In Advances in Neural Information Processing Systems, pp. 3856–3866, 2017.
  • Song et al. (2017) Song, Y., Kim, T., Nowozin, S., Ermon, S., and Kushman, N. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In International Conference on Learning Representations, 2017.
  • Szegedy et al. (2013) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In International Conference on Learning Representations, 2013.
  • Yang et al. (2019) Yang, Y., Zhang, G., Katabi, D., and Xu, Z.

    Me-net: Towards effective adversarial robustness with matrix estimation.

    In International Conference on Machine Learning, 2019.

Appendix

Layer Name Configurations
Classification
Network
Conv

filter size: 3x3, number of filters: 64x4, stride size: 1x1,

activation: leaky relu

Conv
filter size: 3x3, number of filters: 64x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 4,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 100, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 3: The network architecture for the SVHN dataset.
Layer Name Configurations
Classification
Network
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 8,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 200, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 4: The network architecture for the CIFAR-10 dataset.

Appendix A Model Architectures

The details of the network architecture for SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky, 2009) datasets are shown in Table 3 and Table 4.

Appendix B Ablation Study for Detection Methods

In Figure 10, we show the undetected rate of white-box EAD (Chen et al., 2018) and CW (Carlini & Wagner, 2017b) attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The combination of three detectors always works the best in detecting adversarial examples.

Figure 10: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

Appendix C Hyperparameters

As introduced in Section 4 in the main paper, we construct the defense-aware CC-PGD attack via minimizing the reconstruction loss, which is defined as:

(7)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and is the losing-capsule reconstruction error. The hyperparameters , and are used to balance the importance of attacking each detector. We set and then show the attack performance when we change (see Figure 11 (a)) and (see Figure 11 (b)).

We can see that when we set , the attack performance is the best (higher undetected rate at a low False Positive Rate). In addition, the attack performance of our CC-PGD is not sensitive to the hyperparameter . Therefore, we simply set , which is slightly better at a low False Positive Rate.

Figure 11: The undetected rate of our white-box defense-aware CC-PGD attack versus False Positive Rate (FPR) for clean input on the CIFAR-10 dataset when we change the hyperparameter in (a) and hyperparameter in (b). These hyperparameters control the importance of attacking each detector in Eqn. 7.

Appendix D Examples of Adversarial Attacks and Reconstructions

We display successful adversarial attacks but detected by our detection mechanism, and display all the reconstructions when the input are EAD attacks (on the left) and CW attacks (on the right) in Figure 12, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 13 for the SVHN dataset. We also show the successful and detected adversarial EAD attacks (on the left) and CW attacks (on the right) in Figure 14, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 15 for CIFAR-10 dataset.

Figure 12: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 13: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 16/255.
Figure 14: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 15: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 8/255.

References

  • Athalye et al. (2018) Athalye, A., Carlini, N., and Wagner, D. A. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, 2018.
  • Buckman et al. (2018) Buckman, J., Roy, A., Raffel, C., and Goodfellow, I. Thermometer encoding: One hot way to resist adversarial examples. In International Conference on Learning Representations, 2018.
  • Carlini & Wagner (2017a) Carlini, N. and Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. In

    Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security

    , pp. 3–14. ACM, 2017a.
  • Carlini & Wagner (2017b) Carlini, N. and Wagner, D.

    Towards evaluating the robustness of neural networks.

    In 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE, 2017b.
  • Carlini et al. (2019) Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I., and Madry, A. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019.
  • Chen et al. (2018) Chen, P.-Y., Sharma, Y., Zhang, H., Yi, J., and Hsieh, C.-J. Ead: elastic-net attacks to deep neural networks via adversarial examples. In Thirty-second AAAI conference on artificial intelligence, 2018.
  • Feinman et al. (2017) Feinman, R., Curtin, R. R., Shintre, S., and Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.
  • Goodfellow et al. (2014) Goodfellow, I., Shlens, J., and Szegedy, C. Explaining and harnessing adversarial examples. In International Conference on Learning Representations, 2014.
  • Goodfellow et al. (2018) Goodfellow, I., Qin, Y., and Berthelot, D. Evaluation methodology for attacks against confidence thresholding models. 2018.
  • Grosse et al. (2017) Grosse, K., Manoharan, P., Papernot, N., Backes, M., and McDaniel, P. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280, 2017.
  • Hosseini et al. (2019) Hosseini, H., Kannan, S., and Poovendran, R. Are odds really odd? bypassing statistical detection of adversarial examples. arXiv preprint arXiv:1907.12138, 2019.
  • Kingma & Ba (2014) Kingma, D. P. and Ba, J. Adam: A method for stochastic optimization. In International Conference on Learning Representations, 2014.
  • Krizhevsky (2009) Krizhevsky, A. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
  • Kurakin et al. (2016) Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial examples in the physical world. In International Conference on Learning Representations, 2016.
  • Lee et al. (2018) Lee, K., Lee, K., Lee, H., and Shin, J. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In Advances in Neural Information Processing Systems, pp. 7167–7177, 2018.
  • Ma et al. (2018) Ma, X., Li, B., Wang, Y., Erfani, S. M., Wijewickrema, S., Schoenebeck, G., Song, D., Houle, M. E., and Bailey, J. Characterizing adversarial subspaces using local intrinsic dimensionality. In International Conference on Learning Representations, 2018.
  • Madry et al. (2017) Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A.

    Towards deep learning models resistant to adversarial attacks.

    In International Conference on Learning Representations, 2017.
  • Metzen et al. (2017) Metzen, J. H., Genewein, T., Fischer, V., and Bischoff, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
  • Netzer et al. (2011) Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., and Ng, A. Y. Reading digits in natural images with unsupervised feature learning. In NIPS workshop on deep learning and unsupervised feature learning, volume 2011, pp.  5, 2011.
  • Qin et al. (2020) Qin, Y., Frosst, N., Sabour, S., Raffel, C., Cottrell, G., and Hinton, G. Detecting and diagnosing adversarial images with class-conditional capsule reconstructions. In International Conference on Learning Representations, 2020.
  • Roth et al. (2019) Roth, K., Kilcher, Y., and Hofmann, T.

    The odds are odd: A statistical test for detecting adversarial examples.

    In International Conference on Machine Learning, 2019.
  • Sabour et al. (2017) Sabour, S., Frosst, N., and Hinton, G. E. Dynamic routing between capsules. In Advances in Neural Information Processing Systems, pp. 3856–3866, 2017.
  • Song et al. (2017) Song, Y., Kim, T., Nowozin, S., Ermon, S., and Kushman, N. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. In International Conference on Learning Representations, 2017.
  • Szegedy et al. (2013) Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. In International Conference on Learning Representations, 2013.
  • Yang et al. (2019) Yang, Y., Zhang, G., Katabi, D., and Xu, Z.

    Me-net: Towards effective adversarial robustness with matrix estimation.

    In International Conference on Machine Learning, 2019.

Appendix

Layer Name Configurations
Classification
Network
Conv

filter size: 3x3, number of filters: 64x4, stride size: 1x1,

activation: leaky relu

Conv
filter size: 3x3, number of filters: 64x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 64x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 64x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 4,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 100, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 3: The network architecture for the SVHN dataset.
Layer Name Configurations
Classification
Network
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x8, stride size: 1x1,
activations: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x4, stride size: 1x1,
activation: leaky relu
Avg Pooling pool size: 2x2, stride size: 2x2
Conv
filter size: 3x3, number of filters: 128x1, stride size: 1x1,
activation: leaky relu
Conv
filter size: 3x3, number of filters: 128x2, stride size: 1x1,
activation: leaky relu
CapsLayer
number of input capsules: 16, input atoms: 512,
number of output capsules: 25, output atoms: 8,
number of dynamic routing: 1
Reconstruction
Network
fully connected input size: 200, output size:1024
fully connected input size: 1024, output size:16384
deconv filter size: 4x4, number of filters: 64, stride size: 2x2
deconv filter size: 4x4, number of filters: 32, stride size: 2x2
conv
filter size: 4x4 number of filters: 3, stride size: 1x1,
activation: sigmoid
Table 4: The network architecture for the CIFAR-10 dataset.

Appendix A Model Architectures

The details of the network architecture for SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky, 2009) datasets are shown in Table 3 and Table 4.

Appendix B Ablation Study for Detection Methods

In Figure 10, we show the undetected rate of white-box EAD (Chen et al., 2018) and CW (Carlini & Wagner, 2017b) attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The combination of three detectors always works the best in detecting adversarial examples.

Figure 10: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

Appendix C Hyperparameters

As introduced in Section 4 in the main paper, we construct the defense-aware CC-PGD attack via minimizing the reconstruction loss, which is defined as:

(7)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and is the losing-capsule reconstruction error. The hyperparameters , and are used to balance the importance of attacking each detector. We set and then show the attack performance when we change (see Figure 11 (a)) and (see Figure 11 (b)).

We can see that when we set , the attack performance is the best (higher undetected rate at a low False Positive Rate). In addition, the attack performance of our CC-PGD is not sensitive to the hyperparameter . Therefore, we simply set , which is slightly better at a low False Positive Rate.

Figure 11: The undetected rate of our white-box defense-aware CC-PGD attack versus False Positive Rate (FPR) for clean input on the CIFAR-10 dataset when we change the hyperparameter in (a) and hyperparameter in (b). These hyperparameters control the importance of attacking each detector in Eqn. 7.

Appendix D Examples of Adversarial Attacks and Reconstructions

We display successful adversarial attacks but detected by our detection mechanism, and display all the reconstructions when the input are EAD attacks (on the left) and CW attacks (on the right) in Figure 12, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 13 for the SVHN dataset. We also show the successful and detected adversarial EAD attacks (on the left) and CW attacks (on the right) in Figure 14, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 15 for CIFAR-10 dataset.

Figure 12: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 13: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 16/255.
Figure 14: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 15: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 8/255.

Appendix A Model Architectures

The details of the network architecture for SVHN (Netzer et al., 2011) and CIFAR-10 (Krizhevsky, 2009) datasets are shown in Table 3 and Table 4.

Appendix B Ablation Study for Detection Methods

In Figure 10, we show the undetected rate of white-box EAD (Chen et al., 2018) and CW (Carlini & Wagner, 2017b) attacks flagged by different detectors versus the False Positive Rate (FPR) of the clean input. The combination of three detectors always works the best in detecting adversarial examples.

Figure 10: The Undetected Rate of different detectors for white-box attacks versus False Positive Rate (FPR) for clean input on the SVHN dataset. “All” denotes GTD, LBD and CCD are all used to detect adversarial attacks. The testing model is our deflecting model. The better detection mechanism has a smaller FPR for clean input and smaller undetected rate for attacks.

Appendix C Hyperparameters

As introduced in Section 4 in the main paper, we construct the defense-aware CC-PGD attack via minimizing the reconstruction loss, which is defined as:

(7)

where is the adversarial example, is the number of the classes in the dataset, is the winning-capsule reconstruction error and is the losing-capsule reconstruction error. The hyperparameters , and are used to balance the importance of attacking each detector. We set and then show the attack performance when we change (see Figure 11 (a)) and (see Figure 11 (b)).

We can see that when we set , the attack performance is the best (higher undetected rate at a low False Positive Rate). In addition, the attack performance of our CC-PGD is not sensitive to the hyperparameter . Therefore, we simply set , which is slightly better at a low False Positive Rate.

Figure 11: The undetected rate of our white-box defense-aware CC-PGD attack versus False Positive Rate (FPR) for clean input on the CIFAR-10 dataset when we change the hyperparameter in (a) and hyperparameter in (b). These hyperparameters control the importance of attacking each detector in Eqn. 7.

Appendix D Examples of Adversarial Attacks and Reconstructions

We display successful adversarial attacks but detected by our detection mechanism, and display all the reconstructions when the input are EAD attacks (on the left) and CW attacks (on the right) in Figure 12, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 13 for the SVHN dataset. We also show the successful and detected adversarial EAD attacks (on the left) and CW attacks (on the right) in Figure 14, PGD attacks (on the left) and our CC-PGD attacks (on the right) in Figure 15 for CIFAR-10 dataset.

Figure 12: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 13: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on SVHN. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 16/255.
Figure 14: Successful but detected adversarial EAD attacks (on the left) and CW attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9.
Figure 15: Successful but detected adversarial PGD attacks (on the left) and our CC-PGD attacks (on the right) and the corresponding capsule reconstructions on CIFAR-10. The first column is the clean input, the second column is the adversarial example, the third column is the winning-capsule reconstruction, the last ten columns are the reconstructions corresponding to class 0 to 9. The maximal bound to the adversarial perturbation is 8/255.