TY - GEN
T1 - Defending against Adversarial Patches using Dimensionality Reduction
AU - Chattopadhyay, Nandish
AU - Guesmi, Amira
AU - Hanif, Muhammad Abdullah
AU - Ouni, Bassem
AU - Shafique, Muhammad
N1 - Publisher Copyright:
© 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
PY - 2024/11/7
Y1 - 2024/11/7
N2 - Adversarial patch-based attacks have shown to be a major deterrent towards the reliable use of machine learning models. These attacks involve the strategic modification of localized patches or specific image areas to deceive trained machine learning models. In this paper, we propose DefensiveDR, a practical mechanism using a dimensionality reduction technique to thwart such patch-based attacks. Our method involves projecting the sample images onto a lower-dimensional space while retaining essential information or variability for effective machine learning tasks. We perform this using two techniques, Singular Value Decomposition and t-Distributed Stochastic Neighbor Embedding. We experimentally tune the variability to be preserved for optimal performance as a hyper-parameter. This dimension reduction substantially mitigates adversarial perturbations, thereby enhancing the robustness of the given machine learning model. Our defense is model-agnostic and operates without assumptions about access to model decisions or model architectures, making it effective in both black-box and white-box settings. Furthermore, it maintains accuracy across various models and remains robust against several unseen patch-based attacks. The proposed defensive approach improves the accuracy from 38.8% (without defense) to 66.2% (with defense) when performing LaVAN and GoogleAp attacks, which supersedes that of the prominent state-of-the-art like LGS [19] (53.86%) and Jujutsu [7] (60%).
AB - Adversarial patch-based attacks have shown to be a major deterrent towards the reliable use of machine learning models. These attacks involve the strategic modification of localized patches or specific image areas to deceive trained machine learning models. In this paper, we propose DefensiveDR, a practical mechanism using a dimensionality reduction technique to thwart such patch-based attacks. Our method involves projecting the sample images onto a lower-dimensional space while retaining essential information or variability for effective machine learning tasks. We perform this using two techniques, Singular Value Decomposition and t-Distributed Stochastic Neighbor Embedding. We experimentally tune the variability to be preserved for optimal performance as a hyper-parameter. This dimension reduction substantially mitigates adversarial perturbations, thereby enhancing the robustness of the given machine learning model. Our defense is model-agnostic and operates without assumptions about access to model decisions or model architectures, making it effective in both black-box and white-box settings. Furthermore, it maintains accuracy across various models and remains robust against several unseen patch-based attacks. The proposed defensive approach improves the accuracy from 38.8% (without defense) to 66.2% (with defense) when performing LaVAN and GoogleAp attacks, which supersedes that of the prominent state-of-the-art like LGS [19] (53.86%) and Jujutsu [7] (60%).
KW - Adversarial attacks
KW - SVD
KW - adversarial patches
KW - defenses
KW - dimensionality reduction
KW - t-SNE
UR - http://www.scopus.com/inward/record.url?scp=85211146367&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85211146367&partnerID=8YFLogxK
U2 - 10.1145/3649329.3656501
DO - 10.1145/3649329.3656501
M3 - Conference contribution
AN - SCOPUS:85211146367
T3 - Proceedings - Design Automation Conference
BT - Proceedings of the 61st ACM/IEEE Design Automation Conference, DAC 2024
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 61st ACM/IEEE Design Automation Conference, DAC 2024
Y2 - 23 June 2024 through 27 June 2024
ER -