| Title | Defense Against Adversarial Images Using Web-Scale Nearest-Neighbor Search |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Dubey, Abhimanyu, Maaten, Laurens van der, Yalniz, Zeki, Li, Yixuan, Mahajan, Dhruv |
| Conference Name | 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) |
| Date Published | jun |
| Keywords | adversarial image, adversarial perturbations, Big Data, convolutional networks, convolutional neural nets, data distribution, Datasets and Evaluation, Deep Learning, image manifold, image representation, ImageNet, Internet, Large Scale Methods, Measurement, Metrics, nearest neighbor search, nearest neighbour methods, nearest-neighbor defense settings, pubcrawl, representation learning, security of data, visual databases, Visual Reasoning, Web-scale image database, Web-scale nearest-neighbor search |
| Abstract | A plethora of recent work has shown that convolutional networks are not robust to adversarial images: images that are created by perturbing a sample from the data distribution as to maximize the loss on the perturbed example. In this work, we hypothesize that adversarial perturbations move the image away from the image manifold in the sense that there exists no physical process that could have produced the adversarial image. This hypothesis suggests that a successful defense mechanism against adversarial images should aim to project the images back onto the image manifold. We study such defense mechanisms, which approximate the projection onto the unknown image manifold by a nearest-neighbor search against a web-scale image database containing tens of billions of images. Empirical evaluations of this defense strategy on ImageNet suggest that it very effective in attack settings in which the adversary does not have access to the image database. We also propose two novel attack methods to break nearest-neighbor defense settings and show conditions under which nearest-neighbor defense fails. We perform a series of ablation experiments, which suggest that there is a trade-off between robustness and accuracy between as we use features from deeper in the network, that a large index size (hundreds of millions) is crucial to get good performance, and that careful construction of database is crucial for robustness against nearest-neighbor attacks. |
| DOI | 10.1109/CVPR.2019.00897 |
| Citation Key | dubey_defense_2019 |
Defense Against Adversarial Images Using Web-Scale Nearest-Neighbor Search