Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

Yaoyuan Zhang; Yu an Tan; Mingfeng Lu; Lu Liu; Quanxing Zhang; Yuanzhang Li; Dianxin Wang

doi:10.1007/978-3-031-16815-4_4

Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

Yaoyuan Zhang, Yu an Tan, Mingfeng Lu, Lu Liu, Quanxing Zhang, Yuanzhang Li, Dianxin Wang^*

^*Corresponding author for this work

Beijing Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

Original language	English
Title of host publication	Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings
Editors	Jianying Zhou, Sudipta Chattopadhyay, Sridhar Adepu, Cristina Alcaraz, Lejla Batina, Emiliano Casalicchio, Chenglu Jin, Jingqiang Lin, Eleonora Losiouk, Suryadipta Majumdar, Weizhi Meng, Stjepan Picek, Yury Zhauniarovich, Jun Shao, Chunhua Su, Cong Wang, Saman Zonouz
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	53-65
Number of pages	13
ISBN (Print)	9783031168147
DOIs	https://doi.org/10.1007/978-3-031-16815-4_4
Publication status	Published - 2022
Event	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 - Virtual, Online Duration: 20 Jun 2022 → 23 Jun 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13285 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022
City	Virtual, Online
Period	20/06/22 → 23/06/22

Keywords

Adversarial examples
Deep learning
Interpretability
Object detection

Access to Document

10.1007/978-3-031-16815-4_4

Cite this

Zhang, Y., Tan, Y. A., Lu, M., Liu, L., Zhang, Q., Li, Y., & Wang, D. (2022). Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. In J. Zhou, S. Chattopadhyay, S. Adepu, C. Alcaraz, L. Batina, E. Casalicchio, C. Jin, J. Lin, E. Losiouk, S. Majumdar, W. Meng, S. Picek, Y. Zhauniarovich, J. Shao, C. Su, C. Wang, & S. Zonouz (Eds.), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings (pp. 53-65). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13285 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-16815-4_4

Zhang, Yaoyuan ; Tan, Yu an ; Lu, Mingfeng et al. / Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. editor / Jianying Zhou ; Sudipta Chattopadhyay ; Sridhar Adepu ; Cristina Alcaraz ; Lejla Batina ; Emiliano Casalicchio ; Chenglu Jin ; Jingqiang Lin ; Eleonora Losiouk ; Suryadipta Majumdar ; Weizhi Meng ; Stjepan Picek ; Yury Zhauniarovich ; Jun Shao ; Chunhua Su ; Cong Wang ; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. pp. 53-65 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f0f80aa94dc34b70b9bb1aec3aa67e86,

title = "Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation",

abstract = "Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model{\textquoteright}s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent{\textquoteright}s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.",

keywords = "Adversarial examples, Deep learning, Interpretability, Object detection",

author = "Yaoyuan Zhang and Tan, {Yu an} and Mingfeng Lu and Lu Liu and Quanxing Zhang and Yuanzhang Li and Dianxin Wang",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022 ; Conference date: 20-06-2022 Through 23-06-2022",

year = "2022",

doi = "10.1007/978-3-031-16815-4_4",

language = "English",

isbn = "9783031168147",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "53--65",

editor = "Jianying Zhou and Sudipta Chattopadhyay and Sridhar Adepu and Cristina Alcaraz and Lejla Batina and Emiliano Casalicchio and Chenglu Jin and Jingqiang Lin and Eleonora Losiouk and Suryadipta Majumdar and Weizhi Meng and Stjepan Picek and Yury Zhauniarovich and Jun Shao and Chunhua Su and Cong Wang and Saman Zonouz",

booktitle = "Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings",

address = "Germany",

}

Zhang, Y, Tan, YA, Lu, M, Liu, L , Zhang, Q , Li, Y & Wang, D 2022, Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. in J Zhou, S Chattopadhyay, S Adepu, C Alcaraz, L Batina, E Casalicchio, C Jin, J Lin, E Losiouk, S Majumdar, W Meng, S Picek, Y Zhauniarovich, J Shao, C Su, C Wang & S Zonouz (eds), Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13285 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 53-65, Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022, Virtual, Online, 20/06/22. https://doi.org/10.1007/978-3-031-16815-4_4

Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. / Zhang, Yaoyuan; Tan, Yu an; Lu, Mingfeng et al.
Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. ed. / Jianying Zhou; Sudipta Chattopadhyay; Sridhar Adepu; Cristina Alcaraz; Lejla Batina; Emiliano Casalicchio; Chenglu Jin; Jingqiang Lin; Eleonora Losiouk; Suryadipta Majumdar; Weizhi Meng; Stjepan Picek; Yury Zhauniarovich; Jun Shao; Chunhua Su; Cong Wang; Saman Zonouz. Springer Science and Business Media Deutschland GmbH, 2022. p. 53-65 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13285 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation

AU - Zhang, Yaoyuan

AU - Tan, Yu an

AU - Lu, Mingfeng

AU - Liu, Lu

AU - Zhang, Quanxing

AU - Li, Yuanzhang

AU - Wang, Dianxin

PY - 2022

Y1 - 2022

N2 - Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

AB - Recent works have shown that deep learning models are highly vulnerable to adversarial examples, limiting the application of deep learning in security-critical systems. This paper aims to interpret the vulnerability of deep learning models to adversarial examples. We propose adversarial distillation to illustrate that adversarial examples are generalizable data features. Deep learning models are vulnerable to adversarial examples because models do not learn this data distribution. More specifically, we obtain adversarial features by introducing a generation and extraction mechanism. The generation mechanism generates adversarial examples, which mislead the source model trained on the original clean samples. The extraction term removes the original features and selects valid and generalizable adversarial features. Valuable adversarial features guide the model to learn the data distribution of adversarial examples and realize the model’s generalization on the adversarial dataset. Extensive experimental evaluations have proved the excellent generalization performance of the adversarial distillation model. Compared with the normally trained model, the mAP has increased by 2.17% on their respective test sets, while the mAP on the opponent’s test set is very low. The experimental results further prove that adversarial examples are also generalizable data features, which obeys a different data distribution from the clean data. Understanding why deep learning models are not robust to adversarial samples is helpful to attain interpretable and robust deep learning models. Robust models are essential for users to trust models and interact with the models, which can promote the application of deep learning in security-sensitive systems.

KW - Adversarial examples

KW - Deep learning

KW - Interpretability

KW - Object detection

UR - http://www.scopus.com/inward/record.url?scp=85140444394&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-16815-4_4

DO - 10.1007/978-3-031-16815-4_4

M3 - Conference contribution

AN - SCOPUS:85140444394

SN - 9783031168147

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 53

EP - 65

BT - Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings

A2 - Zhou, Jianying

A2 - Chattopadhyay, Sudipta

A2 - Adepu, Sridhar

A2 - Alcaraz, Cristina

A2 - Batina, Lejla

A2 - Casalicchio, Emiliano

A2 - Jin, Chenglu

A2 - Lin, Jingqiang

A2 - Losiouk, Eleonora

A2 - Majumdar, Suryadipta

A2 - Meng, Weizhi

A2 - Picek, Stjepan

A2 - Zhauniarovich, Yury

A2 - Shao, Jun

A2 - Su, Chunhua

A2 - Wang, Cong

A2 - Zonouz, Saman

PB - Springer Science and Business Media Deutschland GmbH

T2 - Satellite Workshops on AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA 2022, held in conjunction with the 20th International Conference on Applied Cryptography and Network Security, ACNS 2022

Y2 - 20 June 2022 through 23 June 2022

ER -

Zhang Y, Tan YA, Lu M, Liu L , Zhang Q , Li Y et al. Towards Interpreting Vulnerability of Object Detection Models via Adversarial Distillation. In Zhou J, Chattopadhyay S, Adepu S, Alcaraz C, Batina L, Casalicchio E, Jin C, Lin J, Losiouk E, Majumdar S, Meng W, Picek S, Zhauniarovich Y, Shao J, Su C, Wang C, Zonouz S, editors, Applied Cryptography and Network Security Workshops - ACNS 2022 Satellite Workshops, AIBlock, AIHWS, AIoTS, CIMSS, Cloud S and P, SCI, SecMT, SiMLA, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 53-65. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-16815-4_4