SentiNet is a novel detection framework for localized universal attacks on neural networks. These attacks restrict adversarial noise to contiguous portions of an image and are reusable with different images—constraints that prove useful for generating physically-realizable attacks. Unlike most other works on adversarial detection, SentiNet does not require training a model or preknowledge of an attack prior to detection. Our approach is appealing due to the large number of possible mechanisms and attack-vectors that an attack-specific defense would have to consider. By leveraging the neural network’s susceptibility to attacks and by using techniques from model interpretability and object detection as detection mechanisms, SentiNet turns a weakness of a model into a strength. We demonstrate the effectiveness of SentiNet on three different attacks—i.e., data poisoning attacks, trojaned networks, and adversarial patches (including physically realizable attacks)—and show that our defense is able to achieve very competitive performance metrics for all three threats. Finally, we show that SentiNet is robust against strong adaptive adversaries, who build adversarial patches that specifically target the components of SentiNet’s architecture.
History
Preferred Citation
Edward Chou, Florian Tramer and Giancarlo Pellegrino. SentiNet: Detecting Localized Universal Attack Against Deep Learning Systems. In: Deep Learning and Security Workshop (DLS) (DLS). 2020.
Primary Research Area
Trustworthy Information Processing
Name of Conference
Deep Learning and Security Workshop (DLS) (DLS)
Legacy Posted Date
2020-09-25
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3223,
title = "SentiNet: Detecting Localized Universal Attack Against Deep Learning Systems",
author = "Chou, Edward and Tramer, Florian and Pellegrino, Giancarlo",
booktitle="{Deep Learning and Security Workshop (DLS) (DLS)}",
year="2020",
}