Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Kejiang Chen,Yuefeng Chen,Hang Zhou,Chuan Qin,Xiaofeng Mao,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/icassp39728.2021.9414008

2021-01-01

Abstract:Deep neural networks have been proved that they are vulnerable to adversarial examples, which are generated by adding human-imperceptible perturbations to images. To defend these adversarial examples, various detection based methods have been proposed. However, most of them perform poorly on detecting adversarial examples with extremely slight perturbations. By exploring these adversarial examples, we find that there exists compliance between perturbations and prediction confidence, which guides us to detect few-perturbation attacks from the aspect of prediction confidence. To detect both few-perturbation attacks and large-perturbation attacks, we propose a method beyond image space by a two-stream architecture, in which the image stream focuses on the pixel artifacts and the gradient stream copes with the confidence artifacts. The experimental results show that the proposed method outperforms the existing methods under oblivious attacks and is verified effective to defend omniscient attacks as well.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Qiao Li,Jing Chen,Kun He,Zijun Zhang,Ruiying Du,Jisi She,Xinxin Wang

DOI: https://doi.org/10.1016/j.cose.2024.103791

IF: 5.105

2024-02-01

Computers & Security

Abstract:Image classification based on Deep Neural Networks (DNNs) is vulnerable to adversarial examples, which make the classifier output incorrect predictions. One approach to defending against this attack is to detect whether the input is an adversarial example. Unfortunately, existing adversarial example detection methods heavily rely on the underlying classifier and may fail when the classifier is upgraded. In this paper, we propose a model-agnostic detection method that leverages high-frequency signals from adversarial noises in adversarial examples and does not need interactions with the underlying classifier. We amplify redundant high-frequency signals brought by adversarial noises and represent object boundaries with these signals in an image. Our key insight is that the boundaries extracted by redundant high-frequency signals have a strong correlation with the boundaries of images in adversarial examples, while this correlation does not exist in clean images. Furthermore, adversarial examples of large images have more high-frequency signals and make adversarial detection easier on large image datasets. Experimental results show that our method has good transferability and can accurately detect various adversarial examples on different datasets.

computer science, information systems

Xiaowei Long,Jie Lin,Xiangyuan Yang

2024-11-11

Abstract:Adversarial detection is designed to identify and reject maliciously crafted adversarial examples(AEs) which are generated to disrupt the classification of target models. Presently, various input transformation-based methods have been developed on adversarial example detection, which typically rely on empirical experience and lead to unreliability against new attacks. To address this issue, we propose and conduct a Dynamically Stable System (DSS), which can effectively detect the adversarial examples from normal examples according to the stability of input examples. Particularly, in our paper, the generation of adversarial examples is considered as the perturbation process of a Lyapunov dynamic system, and we propose an example stability mechanism, in which a novel control term is added in adversarial example generation to ensure that the normal examples can achieve dynamic stability while the adversarial examples cannot achieve the stability. Then, based on the proposed example stability mechanism, a Dynamically Stable System (DSS) is proposed, which can utilize the disruption and restoration actions to determine the stability of input examples and detect the adversarial examples through changes in the stability of the input examples. In comparison with existing methods in three benchmark datasets(MNIST, CIFAR10, and CIFAR100), our evaluation results show that our proposed DSS can achieve ROC-AUC values of 99.83%, 97.81% and 94.47%, surpassing the state-of-the-art(SOTA) values of 97.35%, 91.10% and 93.49% in the other 7 methods.

Artificial Intelligence

Shigeng Zhang,Yudong Li,Shuxin Chen,Xuan Li,Jian Zhang

DOI: https://doi.org/10.1109/IWQoS57198.2023.10188719

2023-01-01

Abstract:Adversarial attacks reveal the inherent vulnerability of deep neural networks, which face serious security issues for their security. Among them, the attack against the Deep Neural Network (DNN) application used in the Industrial Internet of Things (IIoT) is a key area in adversarial attacks. Adversarial examples generated by attackers by adding human-undetectable interference to legitimate examples may cause models to make wrong decision results, resulting in serious accidents. Many detection technologies have been proposed to mitigate the harm of adversarial examples to neural networks, among which the methods based on the difference of feature attribution between normal examples and adversarial examples show state-of-the-art detection performance, but they suffer from detection efficiency. In this work, we focus on improving the detection efficiency of the feature-attribution-based detection methods. We observe that there is still a significant difference in the feature attribution distribution of a normal image and an adversarial image even only some pixels in the image are processed, which can be verified by utilizing the Kolmogorov-Smirnov test. Based on this observation, we first adopt a variety of strategies to sample partial pixels in an image and then utilize the selected pixels to train a feature-attribution-based detector for detecting adversarial examples. Extensive experiments conducted on four datasets (MNIST, CIFAR-10, SVHN, CIFAR-100) against various attacks proved that the detection efficiency of the accelerated detection method is improved (for example, the average execution time was increased by 8.7 times on CIFAR-10) while the detection performance maintains state-of-the-art.

Dengpan Ye,Chuanxi Chen,Changrui Liu,Hao Wang,Shunzhi Jiang

DOI: https://doi.org/10.1002/int.22458

IF: 8.993

2021-05-08

International Journal of Intelligent Systems

Abstract:<p>It is well established that neural networks are vulnerable to adversarial examples, which are almost imperceptible on human vision and can cause the deep models misbehave. Such phenomenon may lead to severely inestimable consequences in the safety and security critical applications. Existing defenses are trend to harden the robustness of models against adversarial attacks, for example, adversarial training technology. However, these are usually intractable to implement due to the high cost of retraining and the cumbersome operations of altering the model architecture or parameters. In this paper, we discuss the saliency map method from the view of enhancing model interpretability, it is similar to introducing the mechanism of the attention to the model, so as to comprehend the progress of object identification by the deep networks. We then propose a novel method combined with additional noises and utilize the inconsistency strategy to detect adversarial examples. Our experimental results of some representative adversarial attacks on common data sets including ImageNet and popular models show that our method can detect all the attacks with high detection success rate effectively. We compare it with the existing state‐of‐the‐art technique, and the experiments indicate that our method is more general.</p>

computer science, artificial intelligence

Yulong Wang,Tianxiang Li,Shenghong Li,Xin Yuan,Wei Ni

2023-05-03

Abstract:Deep Neural Networks (DNNs) are vulnerable to adversarial examples, while adversarial attack models, e.g., DeepFool, are on the rise and outrunning adversarial example detection techniques. This paper presents a new adversarial example detector that outperforms state-of-the-art detectors in identifying the latest adversarial attacks on image datasets. Specifically, we propose to use sentiment analysis for adversarial example detection, qualified by the progressively manifesting impact of an adversarial perturbation on the hidden-layer feature maps of a DNN under attack. Accordingly, we design a modularized embedding layer with the minimum learnable parameters to embed the hidden-layer feature maps into word vectors and assemble sentences ready for sentiment analysis. Extensive experiments demonstrate that the new detector consistently surpasses the state-of-the-art detection algorithms in detecting the latest attacks launched against ResNet and Inception neutral networks on the CIFAR-10, CIFAR-100 and SVHN datasets. The detector only has about 2 million parameters, and takes shorter than 4.6 milliseconds to detect an adversarial example generated by the latest attack models using a Tesla K80 GPU card.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Zhaoxia Yin,Shaowei Zhu,Hang Su,Jianteng Peng,Wanli Lyu,Bin Luo

DOI: https://doi.org/10.48550/arxiv.2305.04436

2023-01-01

Abstract: Deep Neural Networks (DNNs) have recently made significant progress in many fields. However, studies have shown that DNNs are vulnerable to adversarial examples, where imperceptible perturbations can greatly mislead DNNs even if the full underlying model parameters are not accessible. Various defense methods have been proposed, such as feature compression and gradient masking. However, numerous studies have proven that previous methods create detection or defense against certain attacks, which renders the method ineffective in the face of the latest unknown attack methods. The invisibility of adversarial perturbations is one of the evaluation indicators for adversarial example attacks, which also means that the difference in the local correlation of high-frequency information in adversarial examples and normal examples can be used as an effective feature to distinguish the two. Therefore, we propose an adversarial example detection framework based on a high-frequency information enhancement strategy, which can effectively extract and amplify the feature differences between adversarial examples and normal examples. Experimental results show that the feature augmentation module can be combined with existing detection models in a modular way under this framework. Improve the detector's performance and reduce the deployment cost without modifying the existing detection model.

Xiaoyi Dong,Jiangfan Han,Dongdong Chen,Jiayang Liu,Huanyu Bian,Zehua Ma,Hongsheng Li,Xiaogang Wang,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/CVPR42600.2020.01291

2020-01-01

Abstract:Deep Neural Networks are vulnerable to adversarial samples, which can fool classifiers by adding small perturbations onto the original image. Since the pioneering optimization-based adversarial attack method, many following methods have been proposed in the past several years. However most of these methods add perturbations in a \"pixel-wise\" and \"global\" way. Firstly, because of the contradiction between the local smoothness of natural images and the noisy property of these adversarial perturbations, this \"pixel-wise\" way makes these methods not robust to image processing based defense methods and steganalysis based detection methods. Secondly, we find adding perturbations to the background is less useful than to the salient object, thus the \"global\" way is also not optimal. Based on these two considerations, we propose the first robust superpixel-guided attentional adversarial attack method. Specifically, the adversarial perturbations are only added to the salient regions and guaranteed to be same within each superpixel. Through extensive experiments, we demonstrate our method can preserve the attack ability even in this highly constrained modification space. More importantly, compared to existing methods, it is significantly more robust to image processing based defense and steganalysis based detection.

Xurong Li,Shouling Ji,Juntao Ji,Zhenyu Ren,Chunming Wu,Bo Li,Ting Wang

DOI: https://doi.org/10.1049/iet-cvi.2019.0378

IF: 1.484

2020-01-01

IET Computer Vision

Abstract:Adversarial examples (AEs) against deep neural networks (DNNs) raise wide concerns about the robustness of DNNs. Existing detection mechanisms are often limited to a given attack algorithm. Therefore, it is highly desirable to develop a robust detection approach that remains effective for a large group of attack algorithms. In addition, most of the existing defences only perform well for small images (e.g. MNIST and Canadian institute for advanced research (CIFAR)) rather than large images (e.g. ImageNet). In this paper, the authors propose a robust and effective defence method for analysing the sensitivity of various AEs, especially in a much harder case (large images). Their method first creates a feature map from the input space to the new feature space, by utilising 19 different feature mapping methods. Then, a detector is learned with the machine‐learning algorithm to recognise the unique distribution of AEs. Their extensive evaluations on their proposed detector show that their detector can achieve: (i) low false‐positive rate (<1%), (ii) high true‐positive rate (higher than 98%), (iii) low overhead (<0.1 s per input), and (iv) good robustness (work well across different learning models, attack algorithms, and parameters), which demonstrate the efficacy of the proposed detector in practise.

Jiakai Wang,Aishan Liu,Zixin Yin,Shunchang Liu,Shiyu Tang,Xianglong Liu

DOI: https://doi.org/10.48550/arXiv.2103.01050

2021-03-01

Abstract:Deep learning models are vulnerable to adversarial examples. As a more threatening type for practical deep learning systems, physical adversarial examples have received extensive research attention in recent years. However, without exploiting the intrinsic characteristics such as model-agnostic and human-specific patterns, existing works generate weak adversarial perturbations in the physical world, which fall short of attacking across different models and show visually suspicious appearance. Motivated by the viewpoint that attention reflects the intrinsic characteristics of the recognition process, this paper proposes the Dual Attention Suppression (DAS) attack to generate visually-natural physical adversarial camouflages with strong transferability by suppressing both model and human attention. As for attacking, we generate transferable adversarial camouflages by distracting the model-shared similar attention patterns from the target to non-target regions. Meanwhile, based on the fact that human visual attention always focuses on salient items (e.g., suspicious distortions), we evade the human-specific bottom-up attention to generate visually-natural camouflages which are correlated to the scenario context. We conduct extensive experiments in both the digital and physical world for classification and detection tasks on up-to-date models (e.g., Yolo-V5) and significantly demonstrate that our method outperforms state-of-the-art methods.

Computer Vision and Pattern Recognition

Jinyin Chen,Haibin Zheng,Wenchang Shangguan,Liangying Liu,Shouling Ji

DOI: https://doi.org/10.1016/j.ins.2021.01.035

IF: 8.1

2021-01-01

Information Sciences

Abstract:With the extensive application of deep neural networks (DNNs) in computer vision tasks, the vulnerability of such systems to carefully crafted adversarial examples has attracted increasing attention. Although various adversarial defense methods have been proposed to improve the robustness of DNNs, the detection of adversarial examples remains challenging. Previous studies have demonstrated that adversarial examples are sensitive to channel transformation operations, such as rotate and resize, whereas clean examples are immune to them. The detection efficiency heavily relies on the numbers and types of transformation operations. Thus, we propose an adaptive channel transformation-based light-weighted detector known as the ACT-Detector, which selects approximately optimal channel transformation types and the minimal channel transformation number through a cuckoo search. The ACT-Detector can not only detect adversarial and clean examples but can also identify the type of attack, such as white-box and black-box attacks. Comprehensive experiments were performed on the MNIST, CIFAR10, and ImageNet data sets to verify the detection efficiency of the ACT-Detector. The ACT-Detector outperformed a detector containing 45 channel transformations, using only five channel transformations to achieve 99.05% and 98.8% detection rates on the MNIST and CIFAR10 datasets, respectively. This is because the ACT-Detector could select channels with different features, whereas the features in the 45 channels were redundant. By reducing the channel number, the total time required for the ACT-Detector to detect one example was approximately one-quarter that required for the detector with 45 channels during testing. Thus, the proposed detector is proven to be effective and efficient, which is valuable for the detection of adversarial examples. (c) 2021 Published by Elsevier Inc.

Mihui Kim,Junhyeok Yun

DOI: https://doi.org/10.1155/2022/3440123

IF: 1.968

2022-12-19

Security and Communication Networks

Abstract:With the rapid development of image processing technology, image recognition systems based on massive image data are being developed and deployed. The wrong decision regarding an image recognition system for security-sensitive systems can cause serious problems such as personal accidents and property damage. Furthermore, adversarial attacks, which are security attacks that cause malfunctions in image recognition systems by inserting adversarial noise, have emerged and evolved. Several studies have been conducted to prevent adversarial attacks. However, existing mechanisms have low classification accuracy and low detection accuracy for adversarial examples with small adversarial noise. This paper proposes an adversarial example detection mechanism based on image feature extraction and a deep neural network (DNN) model. The proposed system achieves versatility and independence by detecting adversarial examples based on image features, such as edge noise and discrete cosine transform (DCT) bias, which adversarial examples have in common. The proposed system shows relatively higher detection accuracy than existing mechanisms for various types and amounts of adversarial noise and different sharpness of adversarial examples because the proposed system detects them depending on the characteristics of each type of adversarial example.

computer science, information systems,telecommunications

Jiaxin Cheng,Mohamed Hussein,Jay Billa,Wael AbdAlmageed

DOI: https://doi.org/10.48550/arXiv.2206.00489

2022-06-01

Computer Vision and Pattern Recognition

Abstract:The growing number of adversarial attacks in recent years gives attackers an advantage over defenders, as defenders must train detectors after knowing the types of attacks, and many models need to be maintained to ensure good performance in detecting any upcoming attacks. We propose a way to end the tug-of-war between attackers and defenders by treating adversarial attack detection as an anomaly detection problem so that the detector is agnostic to the attack. We quantify the statistical deviation caused by adversarial perturbations in two aspects. The Least Significant Component Feature (LSCF) quantifies the deviation of adversarial examples from the statistics of benign samples and Hessian Feature (HF) reflects how adversarial examples distort the landscape of the model's optima by measuring the local loss curvature. Empirical results show that our method can achieve an overall ROC AUC of 94.9%, 89.7%, and 94.6% on CIFAR10, CIFAR100, and SVHN, respectively, and has comparable performance to adversarial detectors trained with adversarial examples on most of the attacks.

Chen Ma,Chenxu Zhao,Hailin Shi,Li Chen,Junhai Yong,Dan Zeng

DOI: https://doi.org/10.1145/3343031.3350887

2019-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to the adversarial attack which is maliciously implemented by adding human-imperceptible perturbation to images and thus leads to incorrect prediction. Existing studies have proposed various methods to detect the new adversarial attacks. However, new attack methods keep evolving constantly and yield new adversarial examples to bypass the existing detectors. It needs to collect tens of thousands samples to train detectors, while the new attacks evolve much more frequently than the high-cost data collection. Thus, this situation leads the newly evolved attack samples to remain in small scales. To solve such few-shot problem with the evolving attacks, we propose a meta-learning based robust detection method to detect new adversarial attacks with limited examples. Specifically, the learning consists of a double-network framework: a task-dedicated network and a master network which alternatively learn the detection capability for either seen attack or a new attack. To validate the effectiveness of our approach, we construct the benchmarks with few-shot-fashion protocols based on three conventional datasets, i.e. CIFAR-10, MNIST and Fashion-MNIST. Comprehensive experiments are conducted on them to verify the superiority of our approach with respect to the traditional adversarial attack detection methods. The implementation code is available online.

Fengting Li,Xuankai Liu,Xiaoli Zhang,Qi Li,Kun Sun,Kang Li

DOI: https://doi.org/10.1109/infocom42981.2021.9488754

2021-01-01

Abstract:Deep neural networks (DNNs) have been applied in a wide range of applications, e.g., face recognition and image classification; however, they are vulnerable to adversarial examples. By adding a small amount of imperceptible perturbations, an attacker can easily manipulate the outputs of a DNN. Particularly, the localized adversarial examples only perturb a small and contiguous region of the target object, so that they are robust and effective in both digital and physical worlds. Although the localized adversarial examples have more severe real-world impacts than traditional pixel attacks, they have not been well addressed in the literature. In this paper, we propose a generic defense system called TaintRadar to accurately detect localized adversarial examples via analyzing critical regions that have been manipulated by attackers. The main idea is that when removing critical regions from input images, the ranking changes of adversarial labels will be larger than those of benign labels. Compared with existing defense solutions, TaintRadar can effectively capture sophisticated localized partial attacks, e.g., the eye-glasses attack, while not requiring additional training or fine-tuning of the original model's structure. Comprehensive experiments have been conducted in both digital and physical worlds to verify the effectiveness and robustness of our defense.

Shigeng Zhang,Shuxin Chen,Xuan Liu,Chengyao Hua,Weiping Wang,Kai Chen,Jian Zhang,Jianxin Wang

DOI: https://doi.org/10.1109/tnse.2021.3057071

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Deep learning techniques such as convolutional neural networks (CNNs) have been used in a wide range of fields due to their superior performance, e.g., image classification, autonomous driving and natural language processing. However, recent progress shows that deep learning models are vulnerable to adversarial samples, which are crafted by adding small perturbations on normal samples that are imperceptible to human beings but can mislead the deep learning models to output incorrect results. Many adversarial attack models are proposed and many adversarial detection methods are developed to detect adversarial samples generated by these attack models. However, the evaluations of these detection methods are fragmented and scatter in separate literature, and the community still lacks a comprehensive understanding of the ability and performance of existing adversarial detection methods when facing different attack models on different datasets. In this paper, by using image classification as the example application scenario, we conduct a comprehensive study on the performance of five mainstream adversarial detection methods against five major attack models on four widely used benchmark datasets. We find that the detection accuracy of different methods interleaves for different attack models and dataset. Moreover, besides detection accuracy, we also evaluate the time efficiency of different detection methods. The findings reported in this paper can provide useful insights when designing systems to detect adversarial samples and act as a guideline to design new methods to detect adversarial samples.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Xiaoxue Wu Xiaoxue Wu,Shuqi Zuo Xiaoxue Wu,Shiyu Weng Shuqi Zuo,Yongkang Jiang Shiyu Weng,Hao Huang Yongkang Jiang

DOI: https://doi.org/10.53106/160792642024012501012

2024-01-01

網際網路技術學刊

Abstract:With the widespread application of deep neural networks in image detection, adversarial sample attacks have gradually become a hot issue of concern for researchers. In this paper we propose a new adversarial sample detection approach called AdvDetector, which combines image generation through label fusion with image similarity detection. AdvDetector enhances sample quality and effectively identifies adversarial samples. Specifically, the method generates images by selecting seed pixels, the labels of deep neural network classification, and the pixel distribution learned from training data, and detects them using image similarity comparison methods. During the sample generation process, we introduce the AdvDetector method for adversarial sample detection to improve the quality of generated samples. We evaluated the effectiveness of the method on three publicly available image datasets, MNIST, Cifar-10, and GTSR, and the results show that the method is superior to existing baseline methods in terms of adversarial sample detection rate and sample generation quality. &nbsp;

computer science, information systems,telecommunications