Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Bin Liang,Hongcheng Li,Miaoqiang Su,Xirong Li,Wenchang Shi,Xiaofeng Wang

DOI: https://doi.org/10.1109/tdsc.2018.2874243

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, many studies have demonstrated deep neural network (DNN) classifiers can be fooled by the adversarial example, which is crafted via introducing some perturbations into an original sample. Accordingly, some powerful defense techniques were proposed. However, existing defense techniques often require modifying the target model or depend on the prior knowledge of attacks. In this paper, we propose a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models. We consider the perturbation to images as a kind of noise and introduce two classic image processing techniques, scalar quantization and smoothing spatial filter, to reduce its effect. The image entropy is employed as a metric to implement an adaptive noise reduction for different kinds of images. Consequently, the adversarial example can be effectively detected by comparing the classification results of a given sample and its denoised version, without referring to any prior knowledge of attacks. More than 20,000 adversarial examples against some state-of-the-art DNN models are used to evaluate the proposed method, which are crafted with different attack techniques. The experiments show that our detection method can achieve a high overall F1 score of 96.39 percent and certainly raises the bar for defense-aware attacks.

Zhaoxia Yin,Shaowei Zhu,Hang Su,Jianteng Peng,Wanli Lyu,Bin Luo

DOI: https://doi.org/10.48550/arxiv.2305.04436

2023-01-01

Abstract: Deep Neural Networks (DNNs) have recently made significant progress in many fields. However, studies have shown that DNNs are vulnerable to adversarial examples, where imperceptible perturbations can greatly mislead DNNs even if the full underlying model parameters are not accessible. Various defense methods have been proposed, such as feature compression and gradient masking. However, numerous studies have proven that previous methods create detection or defense against certain attacks, which renders the method ineffective in the face of the latest unknown attack methods. The invisibility of adversarial perturbations is one of the evaluation indicators for adversarial example attacks, which also means that the difference in the local correlation of high-frequency information in adversarial examples and normal examples can be used as an effective feature to distinguish the two. Therefore, we propose an adversarial example detection framework based on a high-frequency information enhancement strategy, which can effectively extract and amplify the feature differences between adversarial examples and normal examples. Experimental results show that the feature augmentation module can be combined with existing detection models in a modular way under this framework. Improve the detector's performance and reduce the deployment cost without modifying the existing detection model.

Zhiyuan Liu,Chunjie Cao,Fangjian Tao,Yifan Li,Xiaoyu Lin

DOI: https://doi.org/10.1155/2022/5501035

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Deep neural networks (DNNs) have been closely related to the Pandora’s box from the moment of its birth. Although it achieves a high accuracy significantly in real-world tasks (e.g., object detecting and speech recognition), it still retains fatal vulnerabilities and flaws. Malicious attackers can manipulate DNN model misclassification just by adding tiny perturbations to the original image. These crafted samples are also called adversarial examples. One of the effective defense methods is to detect them before feeding them into the model. In this paper, we delve into the representation of adversarial examples in the original spatial and spectral domains. By qualitative and quantitative analysis, it is confirmed that the high-level representation and high-frequency components of abnormal samples contain richer discriminative information. To further explore the influence mechanism between the two factors, we perform an ablation study and the results show a win-win effect. Utilizing the finding, a detecting method (HLFD) is proposed based on extracting high-level representation and high-frequency components. Compared with other state-of-the-art detection methods, we achieve a better detection performance in most scenarios via a series of experiments conducted on MNIST, CIFAR-10, CIFAR-100, SVHN, and Tiny-ImageNet. In particular, we improve detection rates by a large margin on DeepFool and CW attacks.

Yating Ma,Ruiqi Zha,Zhichao Lian

DOI: https://doi.org/10.1109/smartworld-uic-atc-scalcom-digitaltwin-pricomp-metaverse56740.2022.00028

2022-01-01

Abstract:Perception algorithms are commonly used in ubiquitous computing. Deep neural networks have achieved significant performance in computer vision field, yet were found that exist vulnerabilities which was misclassified by adversarial examples. This issue has attracted great attention to explore methods to defend against adversarial examples. Detecting adversarial examples is a basic work for improving robustness of models. However, how to exploit an efficient feature to distinguish clean examples and adversarial ones is a challenging problem. In this paper, we investigate the adversarial examples from frequency domain and propose a framework to detect and classify adversarial attacks combing with attention mechanism. We first demonstrate that adversarial perturbations are more perceptible in the frequency domain and exploit this to achieve significant detection results. Then, combined with the advantages of the attention mechanism, an integrate network is proposed to achieve a more refined classification of attack methods. Based on the structure of ResNetl8, our results achieve optimal detection rate and high classification rate of 73% among FGSM, PGD-$\ell_{2}$, PGD$-\ell_{\infty}$, Deepfool and MI-FGSM.

Yuru Su,Shaohui Mei,Shuai Wan

DOI: https://doi.org/10.1109/igarss53475.2024.10642655

2024-01-01

Abstract:Deep Neural Networks (DNNs) have demonstrated remarkable effectiveness in remote sensing (RS) image processing. However, they remain vulnerable to adversarial examples, which are generated by adding tiny but purposeful perturbations to clean examples. Such vulnerabilities in critical applications like environmental monitoring and urban planning can lead to significant negative consequences. To mitigate the interference of adversarial examples on DNNs, in this paper, a feature decoupling based adversarial examples detection (FD-AED) method for RS images is proposed, where non-robust features are employed in the detection process. Specifically, a loss function is designed for the de-coupler to disentangle the features into robust and non-robust features. Non-robust features are particularly useful because they often contain subtle clues that distinguish between clean and adversarial examples. By focusing on these non-robust features, the adversarial example detector can more effectively capture the differences between clean and adversarial examples. Experimental results indicate that the proposed FD-AED method effectively decouples robust and non-robust features, achieving more precise and reliable detection of adversarial examples.

Mihui Kim,Junhyeok Yun

DOI: https://doi.org/10.1155/2022/3440123

IF: 1.968

2022-12-19

Security and Communication Networks

Abstract:With the rapid development of image processing technology, image recognition systems based on massive image data are being developed and deployed. The wrong decision regarding an image recognition system for security-sensitive systems can cause serious problems such as personal accidents and property damage. Furthermore, adversarial attacks, which are security attacks that cause malfunctions in image recognition systems by inserting adversarial noise, have emerged and evolved. Several studies have been conducted to prevent adversarial attacks. However, existing mechanisms have low classification accuracy and low detection accuracy for adversarial examples with small adversarial noise. This paper proposes an adversarial example detection mechanism based on image feature extraction and a deep neural network (DNN) model. The proposed system achieves versatility and independence by detecting adversarial examples based on image features, such as edge noise and discrete cosine transform (DCT) bias, which adversarial examples have in common. The proposed system shows relatively higher detection accuracy than existing mechanisms for various types and amounts of adversarial noise and different sharpness of adversarial examples because the proposed system detects them depending on the characteristics of each type of adversarial example.

computer science, information systems,telecommunications

Han Zhang,Xin Zhang,Yuan Sun,Lixia Ji

DOI: https://doi.org/10.1016/j.imavis.2024.105238

IF: 3.86

2024-08-26

Image and Vision Computing

Abstract:Deep learning models are highly vulnerable to adversarial examples, leading to significant attention on techniques for detecting them. However, current methods primarily rely on detecting image features for identifying adversarial examples, often failing to address the diverse types and intensities of such examples. We propose a novel adversarial example detection method based on perturbation estimation and denoising to overcome this limitation. We develop an autoencoder to predict the latent adversarial perturbations of samples and select appropriately sized noise based on these predictions to cover the perturbations. Subsequently, we employ a non-blind denoising autoencoder to remove noise and residual perturbations effectively. This approach allows us to eliminate adversarial perturbations while preserving the original information, thus altering the prediction results of adversarial examples without affecting predictions on benign samples. Inconsistencies in predictions before and after processing by the model identify adversarial examples. Our experiments on datasets such as MNIST, CIFAR-10, and ImageNet demonstrate that our method surpasses other advanced detection methods in accuracy.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics

Jianpeng Ke,Wenqi Wang,Kang Yang,Lina Wang,Aoshuang Ye,Run Wang

DOI: https://doi.org/10.23919/jcc.ea.2021-0454.202401

2024-01-01

China Communications

Abstract:Deep neural networks (DNNs) are potentially susceptible to adversarial examples that are maliciously manipulated by adding imperceptible perturbations to legitimate inputs, leading to abnormal behavior of models. Plenty of methods have been proposed to defend against adversarial examples. However, the majority of them are suffering the following weaknesses: 1) lack of generalization and practicality. 2) fail to deal with unknown attacks. To address the above issues, we design the adversarial nature eraser (ANE) and feature map detector (FMD) to detect fragile and high-intensity adversarial examples, respectively. Then, we apply the ensemble learning method to compose our detector, dealing with adversarial examples with diverse magnitudes in a divide-and-conquer manner. Experimental results show that our approach achieves 99.30% and 99.62% Area under Curve (AUC) scores on average when tested with various L p norm-based attacks on CIFAR-10 and ImageNet, respectively. Furthermore, our approach also shows its potential in detecting unknown attacks.

Yuchen Wang,Xiaoguang Li,Li Yang,Jianfeng Ma,Hui Li

DOI: https://doi.org/10.1109/tdsc.2023.3269012

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Notwithstanding the tremendous success of deep neural networks in a range of realms, previous studies have shown that these learning models are exposed to an inherent hazard called adversarial example — images to which an elaborate perturbation is maliciously added could deceive a network, which entails the study of countermeasures urgently. However, existing solutions suffer from some weaknesses, e.g. parameters are usually determined empirically in some processing-based detection methods might result in a sub-optimal effect, and the directly performed processing on images might affect the classification of benign samples, leading to increment of false positive. In this paper, we propose a novel imAge-DepenDent noIse reducTION (ADDITION) model based on deep learning for adversarial detection. The ADDITION model can adaptively convert the adversarial perturbation in each image to approximate Gaussian noise by injecting image-dependent additional noise, then perform noise reduction to eliminate the adversarial perturbation, and finally detect adversarial examples by examining the classification inconsistency between the input image and its denoised version. The ADDITION model is trained end-to-end on benign samples without any prior knowledge of adversarial attacks, and thus avoid time-consuming task of generating adversarial examples in practical use. We generate more than 220,000 adversarial examples based on six attack algorithms for evaluation and present state-of-the-art comparisons on three real-word datasets. Extensive experiments demonstrate that our proposed method achieves improved performance in both detection accuracy rate and false positive rate.

Song Gao,Ruxin Wang,Xiaoxuan Wang,Shui Yu,Yunyun Dong,Shaowen Yao,Wei Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3241428

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Despite achieving exceptional performance, deep neural networks (DNNs) suffer from the harassment caused by adversarial examples, which are produced by corrupting clean examples with tiny perturbations. Many powerful defense methods have been presented such as training data augmentation and input reconstruction which, however, usually rely on the prior knowledge of the targeted models or attacks. In this paper, we propose a novel approach for detecting adversarial images, which can protect any pre-trained DNN classifiers and resist an endless stream of new attacks. Specifically, we first adopt a dual autoencoder to project images to a latent space. The dual autoencoder uses the self-supervised learning to ensure that small modifications to samples do not significantly alter their latent representations. Next, the mutual information neural estimation is utilized to enhance the discrimination of the latent representations. We then leverage the prior distribution matching to regularize the latent representations. To easily compare the representations of examples in the two spaces, and not rely on the prior knowledge of the targeted model, a simple fully connected neural network is used to embed the learned representations into an eigenspace, which is consistent with the output eigenspace of the targeted model. Through the distribution similarity of an input example in the two eigenspaces, we can judge whether the input example is adversarial or not. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that the proposed method has superior defense performance and transferability than state-of-the-arts.

Seunghwan Jung,Minyoung Chung,Yeong-Gil Shin

DOI: https://doi.org/10.1007/s11042-023-14608-6

IF: 2.577

2023-02-17

Multimedia Tools and Applications

Abstract:Recent advances in deep neural network (DNN) techniques have increased the importance of security and robustness of algorithms where DNNs are applied. However, several studies have demonstrated that neural networks are vulnerable to adversarial examples, which are generated by adding crafted adversarial noises to the input images. Because the adversarial noises are typically imperceptible to the human eye, it is difficult to defend DNNs. One method of defense is the detection of adversarial examples by analyzing characteristics of input images. Recent studies have used the hidden layer outputs of the target classifier to improve the robustness but need to access the target classifier. Moreover, there is no post-processing step for the detected adversarial examples. They simply discard the detected adversarial images. To resolve this problem, we propose a novel detection-based method, which predicts the adversarial noise and detects the adversarial example based on the predicted noise without any target classification information. We first generated adversarial examples and adversarial noises, which can be obtained from the residual between the original and adversarial example images. Subsequently, we trained the proposed adversarial noise predictor to estimate the adversarial noise image and trained the adversarial detector using the input images and the predicted noises. The proposed framework has the advantage that it is agnostic to the input image modality. Moreover, the predicted noises can be used to reconstruct the detected adversarial examples as the non-adversarial images instead of discarding the detected adversarial examples. We tested our proposed method against the fast gradient sign method (FGSM), basic iterative method (BIM), projected gradient descent (PGD), Deepfool, and Carlini & Wagner adversarial attack methods on the CIFAR-10 and CIFAR-100 datasets provided by the Canadian Institute for Advanced Research (CIFAR). Our method demonstrated significant improvements in detection accuracy when compared to the state-of-the-art methods and resolved the wastage problem of the detected adversarial examples. The proposed method agnostic to the input image modality demonstrated that the noise predictor successfully captured noise in the Fourier domain and improved the performance of the detection task. Moreover, we resolved the post-processing problem of the detected adversarial examples with the reconstruction process using the predicted noise.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Kejiang Chen,Yuefeng Chen,Hang Zhou,Chuan Qin,Xiaofeng Mao,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/icassp39728.2021.9414008

2021-01-01

Abstract:Deep neural networks have been proved that they are vulnerable to adversarial examples, which are generated by adding human-imperceptible perturbations to images. To defend these adversarial examples, various detection based methods have been proposed. However, most of them perform poorly on detecting adversarial examples with extremely slight perturbations. By exploring these adversarial examples, we find that there exists compliance between perturbations and prediction confidence, which guides us to detect few-perturbation attacks from the aspect of prediction confidence. To detect both few-perturbation attacks and large-perturbation attacks, we propose a method beyond image space by a two-stream architecture, in which the image stream focuses on the pixel artifacts and the gradient stream copes with the confidence artifacts. The experimental results show that the proposed method outperforms the existing methods under oblivious attacks and is verified effective to defend omniscient attacks as well.

Jiaxin Cheng,Mohamed Hussein,Jay Billa,Wael AbdAlmageed

DOI: https://doi.org/10.48550/arXiv.2206.00489

2022-06-01

Computer Vision and Pattern Recognition

Abstract:The growing number of adversarial attacks in recent years gives attackers an advantage over defenders, as defenders must train detectors after knowing the types of attacks, and many models need to be maintained to ensure good performance in detecting any upcoming attacks. We propose a way to end the tug-of-war between attackers and defenders by treating adversarial attack detection as an anomaly detection problem so that the detector is agnostic to the attack. We quantify the statistical deviation caused by adversarial perturbations in two aspects. The Least Significant Component Feature (LSCF) quantifies the deviation of adversarial examples from the statistics of benign samples and Hessian Feature (HF) reflects how adversarial examples distort the landscape of the model's optima by measuring the local loss curvature. Empirical results show that our method can achieve an overall ROC AUC of 94.9%, 89.7%, and 94.6% on CIFAR10, CIFAR100, and SVHN, respectively, and has comparable performance to adversarial detectors trained with adversarial examples on most of the attacks.

Furkan Mumcu,Yasin Yilmaz

2024-10-23

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. While numerous successful adversarial attacks have been proposed, defenses against these attacks remain relatively understudied. Existing defense approaches either focus on negating the effects of perturbations caused by the attacks to restore the DNNs' original predictions or use a secondary model to detect adversarial examples. However, these methods often become ineffective due to the continuous advancements in attack techniques. We propose a novel universal and lightweight method to detect adversarial examples by analyzing the layer outputs of DNNs. Through theoretical justification and extensive experiments, we demonstrate that our detection method is highly effective, compatible with any DNN architecture, and applicable across different domains, such as image, video, and audio.

Machine Learning,Cryptography and Security

Sicong Han,Chenhao Lin,Chao Shen,Qian Wang

DOI: https://doi.org/10.1007/978-3-030-88052-1_5

2021-01-01

Abstract:Deep neural networks (DNNs) have been recently found vulnerable to adversarial examples. Several previous works attempt to relate the low-frequency or high-frequency parts of adversarial inputs with the robustness of models. However, these studies lack comprehensive experiments and thorough analyses and even yield contradictory results. This work comprehensively explores the connection between the robustness of models and properties of adversarial perturbations in the frequency domain using six classic attack methods and three representative datasets. We visualize the distribution of successful adversarial perturbations using Discrete Fourier Transform and test the effectiveness of different frequency bands of perturbations on reducing the accuracy of classifiers through a proposed quantitative analysis. Experimental results show that the characteristics of successful adversarial perturbations in the frequency domain can vary from dataset to dataset, while their intensities are greater in the effective frequency bands. We analyze the obtained phenomena by combining principles of attacks and properties of datasets and offer a complete view of adversarial examples from the frequency domain perspective, which helps to explain the contradictory parts of previous works and provides insights for future research.

Xiujuan Wang,Qipeng Li,Shuaibing Lu

DOI: https://doi.org/10.1007/978-3-031-65172-4_16

2024-01-01

Abstract:With the development of deep learning technology, convolutional neural network (CNN) has been widely used in many fields such as face recognition, automatic driving, biomedicine, etc., replacing human beings to complete complex and redundant work, which brings great convenience to people’s lives. However, the discovery and development of adversarial examples have created a greater threat to image recognition. In this paper, we propose an adaptive image adversarial example detection method based on class activation mapping, which utilizes the hot zone discovery results of the Grad-CAM algorithm to perform adaptive noise reduction on images and analyzes the differences in the classification results of images before and after the noise reduction in the same benchmark network, including the KL dispersion, the label change, the label confidence, etc., to achieve the detection of adversarial examples on the ImageNet-1000 dataset. The experimental results show that the algorithm proposed in this paper achieves better detection results, and the F1 reaches 0.82 in detecting the generated FGSM adversarial examples with ϵ = 0.3, which is better than the baseline model.

Sensen Guo,Xiaoyu Li,Peican Zhu,Zhiying Mu

DOI: https://doi.org/10.1016/j.knosys.2023.110388

IF: 8.139

2023-02-16

Knowledge-Based Systems

Abstract:Adversarial attacks seriously threaten the security of machine learning models. Thus, detecting adversarial examples has become an important and interesting research topic facing various adversarial attacks. However, the majority of existing adversarial example detection algorithms cannot perform well in detecting adversarial examples with slight perturbations. In this paper, we propose a novel attention-based dual stream detector (ADS-Detector) that can address the detection of adversarial examples with both slight and large perturbations. Specifically, we first design a data process module to generate pixel and prediction confidence stream data from the raw image. Then, we propose an N -layer attention module to extract the channel and spatial feature weights between the pixel and prediction confidence stream data. Eventually, we feed the dual-stream data into the same subdetection model with a convolutional block attention module; then, the output results are combined to determine whether the input image is an adversarial example or not. To validate the performance, we conduct extensive experiments on three public datasets: CIFAR10, Dogs vs. Cats and ImageNet. After sufficient analysis of the simulation results, we find that our proposed method outperforms the others for the detection of adversarial attacks generated by the considered attack methods.

computer science, artificial intelligence

Fangzhen Zhao,Chenyi Zhang,Naipeng Dong,Ming Li

DOI: https://doi.org/10.1142/s0218001423500313

IF: 1.261

2024-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:International Journal of Pattern Recognition and Artificial Intelligence, Ahead of Print. Deep Neural Networks (DNNs) can be easily fooled by inputs that are crafted by adversaries. For example, an adversarial image can be forged by adding to an image a tiny perturbation which is often unnoticeable by human eyes, though the semantic interpretations of the original image and the adversarial image, which are represented as outputs of a DNN, may be drastically different. This weakness can potentially lead to serious consequences in security-critical applications such as medical diagnostic tests and self-driving vehicles. Most existing approaches for adversarial detection only have satisfactory performance for specific types of attacks. These methods do not generalize their performances when applied to a broad range of attacks, models or datasets. In this work, we propose a new adversarial detection method called Adversarial Detection from Derived Models (ADDM), which applies derived models to "simulate" the functionality of a DNN, and analyzes the distribution for the neuron activation values in the derived models as indicators for adversarial inputs. In order to further enhance performance, we propose a heuristic that selects neurons from the derived models that are sensitive to perturbations. We compare our approach with six existing adversarial detection approaches of different methodologies, and the experimental result confirms that the proposed approach has generally better performance regarding stability over different types of adversarial attacks on a variety of tested DNN models and datasets.

computer science, artificial intelligence

Weiqi Fan,Guangling Sun,Yuying Su,Zhi Liu,Xiaofeng Lu

DOI: https://doi.org/10.1007/s11042-019-7353-6

IF: 2.577

2019-01-01

Multimedia Tools and Applications

Abstract:Deep Neural Networks (DNN) has achieved a great success in many tasks in recent years. However, researchers found that DNN is vulnerable to adversarial examples that are maliciously perturbed inputs. The elaborately designed adversarial perturbations can easily confuse the model whereas have no impacts on human perception. To counter adversarial examples, we propose an integrated detection framework for detecting adversarial examples, which involves statistical detector and Gaussian noise injection detector. The statistical detector extracts Subtractive Pixel Adjacency Matrix (SPAM) and uses the second order Markov transition probability matrix to model SPAM so as to highlight the statistical anomaly hidden in an adversarial input. Then an ensemble classifier using SPAM based feature is applied to detect the adversarial input containing large perturbation. The Gaussian noise injection detector first injects an additive Gaussian noise into the input, and then feeds both the original input and its Gaussian noise injected counterpart into a targeted network. By comparing the two outputs difference, the detector is applied to detect adversarial input containing small perturbation: if the difference exceeds a threshold, the input is adversarial; otherwise legitimate. The two detectors are adaptive to different characteristics of adversarial perturbation so that the proposed detection framework is capable of detecting multiple types of adversarial examples. In our work, we test six categories of adversarial examples produced by Fast Gradient Sign Method (FGSM, untargeted), Randomized Fast Gradient Sign Method (R-FGSM, untargeted), Basic Iterative Method (BIM, untargeted), DeepFool (untargeted), Carlini&Wagner Method (CW_UT, untargeted) and CW_T(targeted). Comprehensive empirical results show that the proposed detection framework has achieved a promising performance on ImageNet database.