Security-sensitive applications that rely on Deep Neural Networks (DNNs) are vulnerable to small perturbations that are crafted to generate Adversarial Examples(AEs). The AEs are imperceptible to humans and cause DNN to misclassify them. Many defense and detection techniques have been proposed. Model's confidences and Dropout, as a popular way to estimate the model's uncertainty, have been used for AE detection but they showed limited success against black- and gray-box attacks. Moreover, the state-of-the-art detection techniques have been designed for specific attacks or broken by others, need knowledge about the attacks, are not consistent, increase model parameters overhead, are time-consuming, or have latency in inference time. To trade off these factors, we revisit the model's uncertainty and confidences and propose a novel unsupervised ensemble AE detection mechanism that 1) uses the uncertainty method called SelectiveNet, 2) processes model layers outputs, i.e.feature maps, to generate new confidence probabilities. The detection method is called Selective and Feature based Adversarial Detection (SFAD). Experimental results show that the proposed approach achieves better performance against black- and gray-box attacks than the state-of-the-art methods and achieves comparable performance against white-box attacks. Moreover, results show that SFAD is fully robust against High Confidence Attacks (HCAs) for MNIST and partially robust for CIFAR10 datasets.

翻译：依赖深神经网络(DNN)的安全敏感应用很容易受到小扰动,这些扰动是设计用来生成反向实例的。 AE是人类无法察觉的,导致DNN错误分类的。许多防御和检测技术已经提出。模型的信任和退出,作为估算模型不确定性的流行方法,已经用于AE检测,但是在黑和灰箱袭击中却表现出有限的成功。此外,最先进的检测技术是为特定攻击或他人破坏而设计的,需要有关攻击的知识,不一致,增加模型参数的间接管理,耗费时间,或有误判时间。为了交换这些因素,我们重新审视模型的不确定性和信心,并提出一种新型的、不受监督的隐含的AE检测机制,从而1)使用不确定性方法称为SemiveNet,2)程序稳定程度模型输出,即:实际地图,以产生新的信任性能,需要了解这些攻击、不连贯、增加模型参数,需要增加间接的参数,需要时间,或有耐久性。为了消除这些因素,我们重新审视模型,我们重新审视了模型和精确性攻击的结果,因此,ADAD-AD-AD-AD-AD-AD-S-S-S-S-S-S-AD-S-S-S-AD-S-S-S-AAR-AAR-AAR-AD-AD-B-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-A-