Data ID Extraction Networks for Unsupervised Class- and Classifier-free Detection of Adversarial Examples.

Deep neural networks (DNNs) have achieved satisfactory performance in multiple fields. However, recent studies have shown that DNNs can be easily fooled by adversarial examples. To mitigate the threats caused by adversarial attacks, a highly effective strategy is to design detectors to reject adversarial examples. This article proposes an unsupervised class- and classifier-free adversarial detection method. It only takes unlabeled clean data for training to discriminate illegal samples, and does not require any knowledge about the adversarial examples, sample classes, and the original classifier. More specifically, motivated by the idea that adversarial examples may differ significantly from benign data in terms of sample structural information, we develop an adversarial detector that can simultaneously capture the residual information and the variable-wise structural relationships of data. After that, we design an attribute called data identity (ID) that combines the extracted residual and structural information of data to identify adversarial examples. We validate the superiority of the proposed method through detecting adversarial attacks on CIFAR-10 and ImageNet datasets, and the experimental results demonstrate that the performance of our model is the best among various state-of-the-art adversarial detectors. Besides, we also conduct visualization experiments to illustrate the role of structural information in detecting adversarial examples.