Jedi: entropy-based localization and removal of adversarial patches

Bilel Tarchoun; Anouar Ben Khalifa; Mohamed Ali Mahjoub; Nael Abu-Ghazaleh; Ihsen Alouani

doi:10.1109/CVPR52729.2023.00398

Jedi: entropy-based localization and removal of adversarial patches

Bilel Tarchoun^*
, Anouar Ben Khalifa
, Mohamed Ali Mahjoub
, Nael Abu-Ghazaleh
, Ihsen Alouani^*

^*Corresponding author for this work

School of Electronics, Electrical Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

42 Citations (Scopus)

64 Downloads (Pure)

Abstract

Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).

Original language	English
Title of host publication	Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023
Publisher	Institute of Electrical and Electronics Engineers Inc.
Number of pages	9
ISBN (Electronic)	9798350301298
ISBN (Print)	9798350301304
DOIs	https://doi.org/10.1109/CVPR52729.2023.00398
Publication status	Published - 22 Aug 2023
Event	IEEE/CVF Conference on Computer Vision and Pattern Recognition 2023 - Canada, Vancouver, Canada Duration: 19 Jun 2023 → 22 Jun 2023 https://cvpr2023.thecvf.com/Conferences/2023

Publication series

Name	Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings
Publisher	IEEE
ISSN (Print)	1063-6919
ISSN (Electronic)	2575-7075

Conference

Conference	IEEE/CVF Conference on Computer Vision and Pattern Recognition 2023
Abbreviated title	CVPR 2023
Country/Territory	Canada
City	Vancouver
Period	19/06/2023 → 22/06/2023
Internet address	https://cvpr2023.thecvf.com/Conferences/2023

Keywords

cs.CR
cs.CV
cs.LG

Access to Document

10.1109/CVPR52729.2023.00398Licence: Unspecified

Jedi: entropy-based localization and removal of adversarial patches
Copyright 2023 IEEE. This work is made available online in accordance with the publisher’s policies. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 658 KBLicence: Unspecified

Cite this

Tarchoun, B., Khalifa, A. B., Mahjoub, M. A., Abu-Ghazaleh, N., & Alouani, I. (2023). Jedi: entropy-based localization and removal of adversarial patches. In Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023 (Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CVPR52729.2023.00398

Tarchoun, Bilel ; Khalifa, Anouar Ben ; Mahjoub, Mohamed Ali et al. / Jedi: entropy-based localization and removal of adversarial patches. Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. Institute of Electrical and Electronics Engineers Inc., 2023. (Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings).

@inproceedings{69a0f7dfac6c43a0b255c2c88600e8b2,

title = "Jedi: entropy-based localization and removal of adversarial patches",

abstract = "Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90\% of adversarial patches across different benchmarks and recovers up to 94\% of successful patch attacks (Compared to 75\% and 65\% for LGS and Jujutsu, respectively). ",

keywords = "cs.CR, cs.CV, cs.LG",

author = "Bilel Tarchoun and Khalifa, \{Anouar Ben\} and Mahjoub, \{Mohamed Ali\} and Nael Abu-Ghazaleh and Ihsen Alouani",

year = "2023",

month = aug,

day = "22",

doi = "10.1109/CVPR52729.2023.00398",

language = "English",

isbn = "9798350301304",

series = "Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023",

address = "United States",

note = "IEEE/CVF Conference on Computer Vision and Pattern Recognition 2023, CVPR 2023 ; Conference date: 19-06-2023 Through 22-06-2023",

url = "https://cvpr2023.thecvf.com/Conferences/2023",

}

Tarchoun, B, Khalifa, AB, Mahjoub, MA, Abu-Ghazaleh, N & Alouani, I 2023, Jedi: entropy-based localization and removal of adversarial patches. in Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings, Institute of Electrical and Electronics Engineers Inc., IEEE/CVF Conference on Computer Vision and Pattern Recognition 2023, Vancouver, British Columbia, Canada, 19/06/2023. https://doi.org/10.1109/CVPR52729.2023.00398

Jedi: entropy-based localization and removal of adversarial patches. / Tarchoun, Bilel; Khalifa, Anouar Ben; Mahjoub, Mohamed Ali et al.
Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. Institute of Electrical and Electronics Engineers Inc., 2023. (Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Jedi: entropy-based localization and removal of adversarial patches

AU - Tarchoun, Bilel

AU - Khalifa, Anouar Ben

AU - Mahjoub, Mohamed Ali

AU - Abu-Ghazaleh, Nael

AU - Alouani, Ihsen

PY - 2023/8/22

Y1 - 2023/8/22

N2 - Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).

AB - Real-world adversarial physical patches were shown to be successful in compromising state-of-the-art models in a variety of computer vision applications. Existing defenses that are based on either input gradient or features analysis have been compromised by recent GAN-based attacks that generate naturalistic patches. In this paper, we propose Jedi, a new defense against adversarial patches that is resilient to realistic patch attacks. Jedi tackles the patch localization problem from an information theory perspective; leverages two new ideas: (1) it improves the identification of potential patch regions using entropy analysis: we show that the entropy of adversarial patches is high, even in naturalistic patches; and (2) it improves the localization of adversarial patches, using an autoencoder that is able to complete patch regions from high entropy kernels. Jedi achieves high-precision adversarial patch localization, which we show is critical to successfully repair the images. Since Jedi relies on an input entropy analysis, it is model-agnostic, and can be applied on pre-trained off-the-shelf models without changes to the training or inference of the protected models. Jedi detects on average 90% of adversarial patches across different benchmarks and recovers up to 94% of successful patch attacks (Compared to 75% and 65% for LGS and Jujutsu, respectively).

KW - cs.CR

KW - cs.CV

KW - cs.LG

U2 - 10.1109/CVPR52729.2023.00398

DO - 10.1109/CVPR52729.2023.00398

M3 - Conference contribution

SN - 9798350301304

T3 - Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings

BT - Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE/CVF Conference on Computer Vision and Pattern Recognition 2023

Y2 - 19 June 2023 through 22 June 2023

ER -

Tarchoun B, Khalifa AB, Mahjoub MA, Abu-Ghazaleh N, Alouani I. Jedi: entropy-based localization and removal of adversarial patches. In Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023. Institute of Electrical and Electronics Engineers Inc. 2023. (Conference on Computer Vision and Pattern Recognition (CVPR): Proceedings). doi: 10.1109/CVPR52729.2023.00398

Jedi: entropy-based localization and removal of adversarial patches

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this