Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

Yaoyuan Zhang; Yu an Tan; Mingfeng Lu; Lu Liu; Quanxing Zhang; Yuanzhang Li; Dianxin Wang

doi:10.1007/978-3-031-16815-4_4

Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

Yaoyuan Zhang, Yu an Tan, Mingfeng Lu, Lu Liu, Quanxing Zhang, Yuanzhang Li, Dianxin Wang^*

^*此作品的通讯作者

Beijing Institute of Technology

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

摘要

Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

源语言	英语
主期刊名	Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings
编辑	Jianying Zhou, Sudipta Chattopadhyay, Sridhar Adepu, Cristina Alcaraz, Lejla Batina, Emiliano Casalicchio, Chenglu Jin, Jingqiang Lin, Eleonora Losiouk, Suryadipta Majumdar, Weizhi Meng, Stjepan Picek, Yury Zhauniarovich, Jun Shao, Chunhua Su, Cong Wang, Saman Zonouz
出版商	Springer Science and Business Media Deutschland GmbH
页	53-65
页数	13
ISBN（印刷版）	9783031168147
DOI	https://doi.org/10.1007/978-3-031-16815-4_4
出版状态	已出版 - 2022
活动	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 - Virtual, Online 期限: 20 6月 2022 → 23 6月 2022

出版系列

姓名	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
卷	13285 LNCS
ISSN（印刷版）	0302-9743
ISSN（电子版）	1611-3349

会议

会议	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022
市	Virtual, Online
时期	20/06/22 → 23/06/22

访问文件

10.1007/978-3-031-16815-4_4

其它文件与链接

链接到 Scopus 的出版物

引用此

Zhang, Y., Tan, Y. A., Lu, M., Liu, L., Zhang, Q., Li, Y., & Wang, D. (2022). Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. 在 J. Zhou, S. Chattopadhyay, S. Adepu, C. Alcaraz, L. Batina, E. Casalicchio, C. Jin, J. Lin, E. Losiouk, S. Majumdar, W. Meng, S. Picek, Y. Zhauniarovich, J. Shao, C. Su, C. Wang, & S. Zonouz (编辑), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings (页码 53-65). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 13285 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-16815-4_4

Zhang, Yaoyuan ; Tan, Yu an ; Lu, Mingfeng 等. / Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. 编辑 / Jianying Zhou ; Sudipta Chattopadhyay ; Sridhar Adepu ; Cristina Alcaraz ; Lejla Batina ; Emiliano Casalicchio ; Chenglu Jin ; Jingqiang Lin ; Eleonora Losiouk ; Suryadipta Majumdar ; Weizhi Meng ; Stjepan Picek ; Yury Zhauniarovich ; Jun Shao ; Chunhua Su ; Cong Wang ; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. 页码 53-65 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f0f80aa94dc34b70b9bb1aec3aa67e86,

title = "Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation",

abstract = "Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model{\textquoteright}s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent{\textquoteright}s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.",

keywords = "Adversarial examples, Deep learning, Interpretability, Object detection",

author = "Yaoyuan Zhang and Tan, {Yu an} and Mingfeng Lu and Lu Liu and Quanxing Zhang and Yuanzhang Li and Dianxin Wang",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 ; Conference date: 20-06-2022 Through 23-06-2022",

year = "2022",

doi = "10.1007/978-3-031-16815-4_4",

language = "English",

isbn = "9783031168147",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "53--65",

editor = "Jianying Zhou and Sudipta Chattopadhyay and Sridhar Adepu and Cristina Alcaraz and Lejla Batina and Emiliano Casalicchio and Chenglu Jin and Jingqiang Lin and Eleonora Losiouk and Suryadipta Majumdar and Weizhi Meng and Stjepan Picek and Yury Zhauniarovich and Jun Shao and Chunhua Su and Cong Wang and Saman Zonouz",

booktitle = "Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings",

address = "Germany",

}

Zhang, Y, Tan, YA, Lu, M, Liu, L , Zhang, Q , Li, Y & Wang, D 2022, Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. 在 J Zhou, S Chattopadhyay, S Adepu, C Alcaraz, L Batina, E Casalicchio, C Jin, J Lin, E Losiouk, S Majumdar, W Meng, S Picek, Y Zhauniarovich, J Shao, C Su, C Wang & S Zonouz (编辑), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 卷 13285 LNCS, Springer Science and Business Media Deutschland GmbH, 页码 53-65, Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022, Virtual, Online, 20/06/22. https://doi.org/10.1007/978-3-031-16815-4_4

Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. / Zhang, Yaoyuan; Tan, Yu an; Lu, Mingfeng 等.
Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. 编辑 / Jianying Zhou; Sudipta Chattopadhyay; Sridhar Adepu; Cristina Alcaraz; Lejla Batina; Emiliano Casalicchio; Chenglu Jin; Jingqiang Lin; Eleonora Losiouk; Suryadipta Majumdar; Weizhi Meng; Stjepan Picek; Yury Zhauniarovich; Jun Shao; Chunhua Su; Cong Wang; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. 页码 53-65 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 卷 13285 LNCS).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

AU - Zhang, Yaoyuan

AU - Tan, Yu an

AU - Lu, Mingfeng

AU - Liu, Lu

AU - Zhang, Quanxing

AU - Li, Yuanzhang

AU - Wang, Dianxin

PY - 2022

Y1 - 2022

N2 - Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

AB - Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

KW - Adversarial examples

KW - Deep learning

KW - Interpretability

KW - Object detection

UR - http://www.scopus.com/inward/record.url?scp=85140444394&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-16815-4_4

DO - 10.1007/978-3-031-16815-4_4

M3 - Conference contribution

AN - SCOPUS:85140444394

SN - 9783031168147

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 53

EP - 65

BT - Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings

A2 - Zhou, Jianying

A2 - Chattopadhyay, Sudipta

A2 - Adepu, Sridhar

A2 - Alcaraz, Cristina

A2 - Batina, Lejla

A2 - Casalicchio, Emiliano

A2 - Jin, Chenglu

A2 - Lin, Jingqiang

A2 - Losiouk, Eleonora

A2 - Majumdar, Suryadipta

A2 - Meng, Weizhi

A2 - Picek, Stjepan

A2 - Zhauniarovich, Yury

A2 - Shao, Jun

A2 - Su, Chunhua

A2 - Wang, Cong

A2 - Zonouz, Saman

PB - Springer Science and Business Media Deutschland GmbH

T2 - Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022

Y2 - 20 June 2022 through 23 June 2022

ER -

Zhang Y, Tan YA, Lu M, Liu L , Zhang Q , Li Y 等. Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. 在 Zhou J, Chattopadhyay S, Adepu S, Alcaraz C, Batina L, Casalicchio E, Jin C, Lin J, Losiouk E, Majumdar S, Meng W, Picek S, Zhauniarovich Y, Shao J, Su C, Wang C, Zonouz S, 编辑, Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. 页码 53-65. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-16815-4_4

Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此