MagNet is a defense method that adopts autoencoders to detect and purify adversarial examples. Although MagNet is robust against grey-box and black-box attacks, it is vulnerable to white-box attacks. Despite this prior knowledge, the fundamental reason for and mitigation of the vulnerability of MagNet have not been discussed. We suggest that the challenge of MagNet is the generalization of the data manifold. To explain this, in this work, we leverage deep learning coverage for the reformer of MagNet. We mutate training images through image transformation algorithms and then train the reformer using mutants with new coverage information. The selected mutants provide an interesting data manifold, that cannot be handled by the random noise of MagNet, to the reformer. In grey-box settings, our defense method classified adversarial examples for various perturbation sizes much more accurately than MagNet even with the same architecture. Based on the preliminary result of this work, we consider future work to identify whether the generalization power of deep learning coverage is effective for stronger adversaries and different architectures.
|Title of host publication
|CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
|Association for Computing Machinery
|Number of pages
|Published - 2022 Nov 7
|28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States
Duration: 2022 Nov 7 → 2022 Nov 11
|Proceedings of the ACM Conference on Computer and Communications Security
|28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
|22/11/7 → 22/11/11
Bibliographical notePublisher Copyright:
© 2022 Owner/Author.
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications