Defending against Patch-Based and Texture-Based Adversarial Attacks with Spectral Decomposition

Adversarial examples present significant challenges to the security of Deep Neural Network (DNN) applications. Specifically, there are patch-based and texture-based attacks that are usually used to craft physical-world adversarial examples, posing real threats to security-critical applications such as person detection in surveillance and autonomous systems, because those attacks are physically realizable. Existing defense mechanisms face challenges in the adaptive attack setting, i.e., the attacks are specifically designed against them. In this paper, we propose Adversarial Spectrum Defense (ASD), a defense mechanism that leverages spectral decomposition via Discrete Wavelet Transform (DWT) to analyze adversarial patterns across multiple frequency scales. The multi-resolution and localization capability of DWT enables ASD to capture both high-frequency (fine-grained) and low-frequency (spatially pervasive) perturbations. By integrating this spectral analysis with the off-the-shelf Adversarial Training (AT) model, ASD provides a comprehensive defense strategy against both patch-based and texture-based adversarial attacks. Extensive experiments demonstrate that ASD+AT achieved state-of-the-art (SOTA) performance against various attacks, outperforming the APs of previous defense methods by 21.73%, in the face of strong adaptive adversaries specifically designed against ASD. Code available at https://github.com/weiz0823/adv-spectral-defense .

Key Contributions

• Adversarial Spectrum Defense (ASD) using Discrete Wavelet Transform to analyze adversarial patterns across multiple frequency scales
• Multi-resolution spectral analysis capturing both high-frequency (patch-based) and low-frequency (texture-based) perturbations
• Integration with adversarial training achieving SOTA performance against adaptive attacks, outperforming prior defenses by 21.73% AP

🛡️ Threat Analysis

Details

Similar Papers