The vulnerability of deep neural networks to adversarial perturbations has been widely perceived in the computer vision community. From a security perspective, it poses a critical risk for modern vision systems, e.g., the popular Deep Learning as a Service (DLaaS) frameworks. For protecting off-the-shelf deep models while not modifying them, current algorithms typically detect adversarial patterns through discriminative decomposition of natural-artificial data. However, these decompositions are biased towards frequency or spatial discriminability, thus failing to capture subtle adversarial patterns comprehensively. More seriously, they are typically invertible, meaning successful defense-aware (secondary) adversarial attack (i.e., evading the detector as well as fooling the model) is practical under the assumption that the adversary is fully aware of the detector (i.e., the Kerckhoffs's principle). Motivated by such facts, we propose an accurate and secure adversarial example detector, relying on a spatial-frequency discriminative decomposition with secret keys. It expands the above works on two aspects: 1) the introduced Krawtchouk basis provides better spatial-frequency discriminability and thereby is more suitable for capturing adversarial patterns than the common trigonometric or wavelet basis; 2) the extensive parameters for decomposition are generated by a pseudo-random function with secret keys, hence blocking the defense-aware adversarial attack. Theoretical and numerical analysis demonstrates the increased accuracy and security of our detector w.r.t. a number of state-of-the-art algorithms.

翻译：深度神经网络对对抗扰动的脆弱性已在计算机视觉领域被广泛认知。从安全角度而言，这为现代视觉系统（如流行的深度学习服务框架DLaaS）带来了关键风险。为保护现成深度模型且不修改其结构，现有算法通常通过自然-人工数据的判别性分解来检测对抗模式。然而，这些分解偏向于频率或空间判别性，因此难以全面捕捉细微的对抗模式。更严重的是，它们通常具有可逆性，这意味着在假设攻击者完全了解检测器（即Kerckhoffs原理）的前提下，可实现成功的防御感知（二次）对抗攻击（即同时规避检测器并欺骗模型）。基于此，我们提出一种基于秘密密钥的空间-频率判别性分解的精确且安全的对抗样本检测器。该方法在以下两方面扩展了现有工作：1）引入的Krawtchouk基相比常见三角基或小波基具有更好的空间-频率判别性，因此更适合捕捉对抗模式；2）分解的扩展参数通过带秘密密钥的伪随机函数生成，从而阻断防御感知式对抗攻击。理论分析与数值实验表明，与多种最先进算法相比，本检测器在精度与安全性方面均有提升。