CSIS Seminar

Watermarking for Protecting Deep Image Classifiers against Adversarial Attacks: A Framework and Algorithms

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples, inputs with imperceptible, but subtly crafted perturbation that lead DNNs to produce incorrect outputs. The existence and easy construction of adversarial examples pose significant security risks to DNNs, especially in safety-critical applications, including visual object recognition and autonomous driving. After reviewing attack strategies and failed defense strategies, in this talk, we will present a novel watermarking-based framework for protecting deep image classifiers by detecting adversarial examples. The proposed framework consists of a watermark encoder, a possible adversary, and a detector followed by a deep image classifier to be protected. Specific methods of watermarking and detection will also be discussed. It is shown by experiment on a subset of ImageNet validation dataset that our framework along with the presented methods of watermarking and detection is effective against a wide range of advanced attacks (static and adaptive), achieving a near zero (effective) false negative rate for FGSM and PGD attacks (static and adaptive) with the guaranteed zero false positive rate. In addition, for all tested deep image classifiers (ResNet50V2, MobileNetV2, InceptionV3), the impact of watermarking on classification accuracy is insignificant with, on average, 0.63\% and 0.49\% degradation in top 1 and top 5 accuracy, respectively. Zoom Meeting Link: https://gmu.zoom.us/j/91322937979

Speaker Bio

En-Hui Yang is an Electrical and Computer Engineering Professor and founding director of the Leitch-University of Waterloo Multimedia Communications lab. He is also the co-founder of SlipStream Data Inc. (now a subsidiary of BlackBerry Inc. formerly known as Research In Motion), and a past associate editor for IEEE Transactions on Information Theory. Professor Yang holds a Canada Research Chair (Tier 1) in Information Theory and Multimedia Data Compression. Dr. Yang received a Ph.D. in Electrical Engineering from the University of Southern California in 1996, a Ph.D. in Probability and Statistics from Nankai University in 1991, and a Bachelor's in Applied Mathematics from HuaQiao University in 1986.