poster

Poster: Detecting Adversarial Examples Hidden under Watermark Perturbation via Usable Information Theory

Authors:

Rui ZhangAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 3636 - 3638

https://doi.org/10.1145/3576915.3624396

Published: 21 November 2023 Publication History

Abstract

Image watermark is a technique widely used for copyright protection. Recent studies show that the image watermark can be added to the clear image as a kind of noise to realize fooling deep learning models. However, previous adversarial example (AE) detection schemes tend to be ineffective since the watermark logo differs from typical noise perturbations. In this poster, we propose Themis, a novel AE detection method against watermark perturbation. Different from prior methods, Themis neither modifies the protected classifier nor requires knowledge of the process for generating AEs. Specifically, Themis leverages usable information theory to calculate the pointwise score, thereby discovering those instances that may be watermark AEs. The empirical evaluations involving 5 different logo watermark perturbations demonstrate the proposed scheme can efficiently detect AEs, and significantly (over 15% accuracy) outperforms five state-of-the-art (SOTA) detection methods. The visualization results display our detection metric is more distinguishable between AEs and non-AEs. Meanwhile, Themis realizes a larger Area Under Curve (AUC) in a threshold-resilient manner, while only introducing ∼0.04s overhead.

References

[1]

Nicholas Carlini et al. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, pages 39--57. IEEE Computer Society, 2017.

[2]

Kawin Ethayarajh et al. Understanding dataset difficulty with V-usable informa- tion. In ICML, volume 162 of Proceedings of Machine Learning Research, pages 5988--6008. PMLR, 2022.

[3]

ImageNet. Imagenet large scale visual recognition challenge 2012 (ilsvrc2012)., 2021. http://image-net.org/challenges/LSVRC/2012/2012-downloads Accessed April 1, 2021.

[4]

Xiaojun Jia et al. Adv-watermark: A novel watermark perturbation for adversarial examples. In ACM Multimedia, pages 1579--1587. ACM, 2020.

[5]

Weitang Liu et al. Energy-based out-of-distribution detection. In NeurIPS, 2020.

[6]

Dongyu Meng and Hao Chen. Magnet: A two-pronged defense against adversarial examples. In CCS, pages 135--147. ACM, 2017.

[7]

Tianyu Pang et al. Improving adversarial robustness via promoting ensemble diversity. In ICML, volume 97 of Proceedings of Machine Learning Research, pages 4970--4979. PMLR, 2019.

[8]

Tianyu Pang et al. Two coupled rejection metrics can tell adversarial examples apart. In CVPR, pages 15202--15212. IEEE, 2022.

[9]

Claude E. Shannon. A mathematical theory of communication. Bell Syst. Tech. J., 27(3):379--423, 1948.

[10]

Shixin Tian et al. Detecting adversarial examples through image transformation. In AAAI, pages 4139--4146. AAAI Press, 2018.

[11]

Weilin Xu et al. Feature squeezing: Detecting adversarial examples in deep neural networks. In NDSS. The Internet Society, 2018.

[12]

Yilun Xu et al. A theory of usable information under computational constraints. In ICLR. OpenReview.net, 2020.

[13]

Yijun Yang et al. What you see is not what the network infers: Detecting adver- sarial examples based on semantic contradiction. In NDSS. The Internet Society, 2022.

[14]

Hongyang Zhang et al. Theoretically principled trade-off between robustness and accuracy. In ICML, volume 97 of Proceedings of Machine Learning Research, pages 7472--7482. PMLR, 2019.

[15]

Ziming Zhao et al. SAGE: steering the adversarial generation of examples with accelerations. IEEE Trans. Inf. Forensics Secur., 18:789--803, 2023

Cited By

Wang XZhao BSu YZhang SYuan FZhang JMeng DHou R(2024)A Hybrid Sparse-dense Defensive DNN Accelerator Architecture against Adversarial Example AttacksACM Transactions on Embedded Computing Systems10.1145/367731823:5(1-28)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.1145/3677318

Index Terms

Poster: Detecting Adversarial Examples Hidden under Watermark Perturbation via Usable Information Theory
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Adv-watermark: A Novel Watermark Perturbation for Adversarial Examples
MM '20: Proceedings of the 28th ACM International Conference on Multimedia

Recent research has demonstrated that adding some imperceptible perturbations to original images can fool deep learning models. However, the current adversarial perturbations are usually shown in the form of noises, and thus have no practical meaning. ...
Adversarial watermark: A robust and reliable watermark against removal
Abstract
Digital image watermarking used to be an important tool for copyright protection. However, as neural network-based watermark removal methods have been proposed in recent years, the embedded watermark is increasingly easy to be erased, which poses ...
Proactive image manipulation detection via deep semi-fragile watermark
Abstract
Malicious image tampering refers to intentionally manipulating images to make them harmful to the owners or users. It has become one of the most severe challenges to image authenticity. Conventional methods for detecting tampering by identifying ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Key R&D Program of China
National Natural Science Foundation of China

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
169
Total Downloads

Downloads (Last 12 months)169
Downloads (Last 6 weeks)15

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang XZhao BSu YZhang SYuan FZhang JMeng DHou R(2024)A Hybrid Sparse-dense Defensive DNN Accelerator Architecture against Adversarial Example AttacksACM Transactions on Embedded Computing Systems10.1145/367731823:5(1-28)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.1145/3677318

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents