Visible to the public Dual Graphs of Polyhedral Decompositions for the Detection of Adversarial Attacks

Submitted by grigby1 on Thu, 06/22/2023 - 1:44pm
TitleDual Graphs of Polyhedral Decompositions for the Detection of Adversarial Attacks
Publication TypeConference Paper
Year of Publication2022
AuthorsJamil, Huma, Liu, Yajing, Cole, Christina, Blanchard, Nathaniel, King, Emily J., Kirby, Michael, Peterson, Christopher
Conference Name2022 IEEE International Conference on Big Data (Big Data)
Date Publisheddec
Keywordsadversarial attack, Big Data, bit vectors, composability, convex polyhedra, DAmageNet, decomposition, Detectors, digital images, dual graph, ensemble voting, FGSM, Firing, Hamming distance, Hamming graph, Human Behavior, Image edge detection, Metrics, network architecture, Neural networks, polyhedral decomposition, pubcrawl, ResNet
AbstractPrevious work has shown that a neural network with the rectified linear unit (ReLU) activation function leads to a convex polyhedral decomposition of the input space. These decompositions can be represented by a dual graph with vertices corresponding to polyhedra and edges corresponding to polyhedra sharing a facet, which is a subgraph of a Hamming graph. This paper illustrates how one can utilize the dual graph to detect and analyze adversarial attacks in the context of digital images. When an image passes through a network containing ReLU nodes, the firing or non-firing at a node can be encoded as a bit (1 for ReLU activation, 0 for ReLU non-activation). The sequence of all bit activations identifies the image with a bit vector, which identifies it with a polyhedron in the decomposition and, in turn, identifies it with a vertex in the dual graph. We identify ReLU bits that are discriminators between non-adversarial and adversarial images and examine how well collections of these discriminators can ensemble vote to build an adversarial image detector. Specifically, we examine the similarities and differences of ReLU bit vectors for adversarial images, and their non-adversarial counterparts, using a pre-trained ResNet-50 architecture. While this paper focuses on adversarial digital images, ResNet-50 architecture, and the ReLU activation function, our methods extend to other network architectures, activation functions, and types of datasets.
DOI10.1109/BigData55660.2022.10020880
Citation Keyjamil_dual_2022
Groups: