Deep neural networks (DNNs) are notorious for their vulnerability to
adversarial attacks, which are small perturbations added to their input images
to mislead their prediction. Detection of adversarial examples is, therefore, a
fundamental requirement for robust classification frameworks. In this work, we
present a method for detecting such adversarial attacks, which is suitable for
any pre-trained neural network classifier. We use influence functions to
measure the impact of every training sample on the validation set data. From
the influence scores, we find the most supportive training samples for any
given validation example. A k-nearest neighbor (k-NN) model fitted on the DNN's
activation layers is employed to search for the ranking of these supporting
training samples. We observe that these samples are highly correlated with the
nearest neighbors of the normal inputs, while this correlation is much weaker
for adversarial inputs. We train an adversarial detector using the k-NN ranks
and distances and show that it successfully distinguishes adversarial examples,
getting state-of-the-art results on six attack methods with three datasets.
Code is available at this https URL

本文提出了一种针对深度神经网络的对抗攻击的检测方法，使用影响函数来测量每个训练样本对于验证集数据的影响力，并通过在激活层上拟合 k-NN 模型来寻找最有支持性的训练样本，最后使用 k-NN 排名和距离训练一个对抗检测器成功地区分了六种攻击方法和三个数据集的对抗样本，取得了最先进的结果。