Spatially constrained Adversarial Attack Detection and Localization in the Representation Space of Optical Flow Networks

Hannah H Kim; Celia Cintas; Girmaw Abebe Tadesse; Skyler Speakman

Spatially constrained Adversarial Attack Detection and Localization in the Representation Space of Optical Flow Networks

Hannah H Kim, Celia Cintas, Girmaw Abebe Tadesse, Skyler Speakman

22 Sept 2022 (modified: 13 Feb 2023)ICLR 2023 Conference Withdrawn SubmissionReaders: Everyone

Keywords: optical flow, adversarial attack detection, adversarial attack localization

Abstract: Optical flow estimation have shown significant improvements with advances in deep neural networks. However, these flow networks have recently been shown to be vulnerable to patch-based adversarial attacks, which poses security risks in real-world applications, such as self-driving cars and robotics. We propose SADL, a Spatially constrained adversarial Attack Detection and Localization framework, which does not require dedicated training. The detection of an attacked input sequence is performed via iterative optimization on the activations from the inner layers of flow networks, without any prior knowledge of the attacks. The novel spatially constrained optimization ensures that the detected anomalous subset of features comes from a local region. To this end, SADL provides a subset of nodes within a spatial neighborhood that contribute more to the detection, which will be utilized to localize the attack in the input sequence. The proposed SADL is validated across multiple datasets (i.e., MPI-Sintel and KITTI) and flow networks (i.e., FlowNetC, FlowNet2, PWCNet, and RAFT). With patch attacks $4.8\%$ of the size of the input image resolution on RAFT, our method successfully detects and localizes them with an average precision of $0.946$ and $0.951$ for KITTI-2015 and MPI-Sintel datasets, respectively. The results show that SADL consistently achieves higher detection rates than existing methods and provides new localization capabilities.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics

Submission Guidelines: Yes

Supplementary Material: zip

Please Choose The Closest Area That Your Submission Falls Into: Applications (eg, speech processing, computer vision, NLP)

4 Replies

Loading