NIC: Detecting Adversarial Samples with Neural Network Invariant Checking

—Deep Neural Networks (DNN) are vulnerable to adversarial samples that are generated by perturbing correctly classified inputs to cause DNN models to misbehave (e.g., misclas-sification). This can potentially lead to disastrous consequences especially in security-sensitive applications. Existing defense and detection techniques work well for specific attacks under various assumptions (e.g., the set of possible attacks are known beforehand). However, they are not sufficiently general to protect against a broader range of attacks. In this paper, we analyze the internals of DNN models under various attacks and identify two common exploitation channels: the provenance channel and the activation value distribution channel. We then propose a novel technique to extract DNN invariants and use them to perform runtime adversarial sample detection. Our experimental results of 11 different kinds of attacks on popular datasets including ImageNet and 13 models show that our technique can effectively detect all these attacks (over 90% accuracy) with limited false positives. We also compare it with three state-of-the-art techniques including the Local Intrinsic Dimensionality (LID) based method, denoiser based methods (i.e., MagNet and HGD), and the prediction inconsistency based approach (i.e., feature squeezing). Our experiments show promising results.

• Publication year

  2019

• Venue

  Network and Distributed System Security Symposium

• Publication date

  Unknown publication date

• Fields of study

  Computer Science

• Identifiers
  DOI 10.14722/ndss.2019.23415
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Understanding Membership Inferences on Well-Generalized Learning Models

  2018cited by this paper
• Chameleon: A Hybrid Secure Computation Framework for Machine Learning Applications

  2018cited by this paper
• Machine Learning with Membership Privacy using Adversarial Regularization

  2018cited by this paper
• Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning

  2018cited by this paper
• When Does Machine Learning FAIL? Generalized Transferability for Evasion and Poisoning Attacks

  2018cited by this paper
• On the Limitation of Local Intrinsic Dimensionality for Characterizing the Subspaces of Adversarial Examples

  2018cited by this paper
• Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning

  2018cited by this paper
• Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks

  2018cited by this paper
• On the Robustness of the CVPR 2018 White-Box Adversarial Example Defenses

  2018cited by this paper
• AttriGuard: A Practical Defense Against Attribute Inference Attacks via Adversarial Machine Learning

  2018cited by this paper
• Trojaning Attack on Neural Networks

  2018influential reference
• Adversarial Spheres

  2018cited by this paper
• AI2: Safety and Robustness Certification of Neural Networks with Abstract Interpretation

  2018cited by this paper
• Generating Adversarial Examples with Adversarial Networks

  2018cited by this paper
• Countering Adversarial Images using Input Transformations

  2018cited by this paper
• Learning Deep Features for One-Class Classification

  2018cited by this paper
• Adversarial Generative Nets: Neural Network Attacks on State-of-the-Art Face Recognition

  2018cited by this paper
• On the importance of single directions for generalization

  2018cited by this paper
• Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

  2018cited by this paper
• Attacks Meet Interpretability: Attribute-steered Detection of Adversarial Samples

  2018cited by this paper
• Stealing Hyperparameters in Machine Learning

  2018cited by this paper
• Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models

  2018cited by this paper
• Spatially Transformed Adversarial Examples

  2018cited by this paper
• Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality

  2018influential reference
• Security analysis and enhancement of model compressed deep learning systems under adversarial attacks

  2018cited by this paper
• Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

  2018cited by this paper
• Decision Boundary Analysis of Adversarial Examples

  2018cited by this paper
• Safe Machine Learning and Defeating Adversarial Attacks

  2018cited by this paper
• Stochastic Activation Pruning for Robust Adversarial Defense

  2018cited by this paper
• Adversarial Example Defense: Ensembles of Weak Defenses are not Strong

  2017cited by this paper
• Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks

  2017cited by this paper
• Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser

  2017influential reference
• Robust Linear Regression Against Training Data Poisoning

  2017cited by this paper
• DeepXplore: Automated Whitebox Testing of Deep Learning Systems

  2017influential reference
• Control-Flow Integrity

  2017cited by this paper
• Machine Learning Models that Remember Too Much

  2017cited by this paper
• PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples

  2017cited by this paper
• Towards Deep Learning Models Resistant to Adversarial Attacks

  2017cited by this paper
• Mitigating adversarial effects through randomization

  2017cited by this paper
• MagNet: A Two-Pronged Defense against Adversarial Examples

  2017influential reference
• Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks

  2017influential reference
• Robust Physical-World Attacks on Deep Learning Models

  2017cited by this paper
• Deep Models Under the GAN: Information Leakage from Collaborative Deep Learning

  2017cited by this paper
• Detecting Adversarial Samples from Artifacts

  2017cited by this paper
• On Detecting Adversarial Perturbations

  2017cited by this paper
• Is Interaction Necessary for Distributed Private Learning?

  2017cited by this paper
• SafetyNet: Detecting and Rejecting Adversarial Examples Robustly

  2017cited by this paper
• MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications

  2017cited by this paper
• Adversarial Patch

  2017cited by this paper
• Dimensionality Reduction as a Defense against Evasion Attacks on Machine Learning Classifiers

  2017cited by this paper
• The Space of Transferable Adversarial Examples

  2017cited by this paper
• On the (Statistical) Detection of Adversarial Examples

  2017cited by this paper
• DeepFense: Online Accelerated Defense Against Adversarial Deep Learning

  2017cited by this paper
• Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning

  2017cited by this paper
• Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods

  2017cited by this paper
• Universal Adversarial Perturbations

  2016cited by this paper
• End to End Learning for Self-Driving Cars

  2016cited by this paper
• Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

  2016cited by this paper
• Delving into Transferable Adversarial Examples and Black-box Attacks

  2016cited by this paper
• Defensive Distillation is Not Robust to Adversarial Examples

  2016cited by this paper
• Stealing Machine Learning Models via Prediction APIs

  2016cited by this paper
• Towards Evaluating the Robustness of Neural Networks

  2016influential reference
• Adversarial examples in the physical world

  2016cited by this paper
• Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition

  2016cited by this paper
• Practical Black-Box Attacks against Machine Learning

  2016cited by this paper
• Towards the Science of Security and Privacy in Machine Learning

  2016cited by this paper
• Cleverhans V0.1: an Adversarial Machine Learning Library

  2016cited by this paper
• Adversarial Examples Detection in Deep Networks with Convolutional Filter Statistics

  2016cited by this paper
• Densely Connected Convolutional Networks

  2016cited by this paper
• Early Methods for Detecting Adversarial Images

  2016cited by this paper
• Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures

  2015cited by this paper
• The Limitations of Deep Learning in Adversarial Settings

  2015cited by this paper
• Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks

  2015cited by this paper
• Deep Residual Learning for Image Recognition

  2015cited by this paper
• DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks

  2015cited by this paper
• Rethinking the Inception Architecture for Computer Vision

  2015cited by this paper
• Deep neural networks are easily fooled: High confidence predictions for unrecognizable images

  2014cited by this paper
• Very Deep Convolutional Networks for Large-Scale Image Recognition

  2014cited by this paper
• Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing

  2014cited by this paper
• Explaining and Harnessing Adversarial Examples

  2014influential reference
• Adam: A Method for Stochastic Optimization

  2014cited by this paper
• A review of novelty detection

  2014cited by this paper
• Towards Deep Neural Network Architectures Robust to Adversarial Examples

  2014cited by this paper
• ImageNet Large Scale Visual Recognition Challenge

  2014cited by this paper
• Intriguing properties of neural networks

  2013cited by this paper
• Large-scale malware classification using random projections and neural networks

  2013cited by this paper
• ImageNet classification with deep convolutional neural networks

  2012cited by this paper
• Scikit-learn: Machine Learning in Python

  2011cited by this paper
• Learning Multiple Layers of Features from Tiny Images

  2009cited by this paper
• Labeled Faces in the Wild: A Database forStudying Face Recognition in Unconstrained Environments

  2008cited by this paper
• Data domain description using support vectors

  1999cited by this paper
• Support vector domain description

  1999cited by this paper
• Gradient-based learning applied to document recognition

  1998influential reference
• Fault Injection Techniques and Tools

  1997cited by this paper

• OCAGE: An Input-Level One-Class Backdoor Detection Method Using Feature Map Extraction for DNN

  2025cites this paper
• What's Pulling the Strings? Evaluating Integrity and Attribution in AI Training and Inference through Concept Shift

  2025cites this paper
• Stealthy-AE: Generating Stealthy Adversarial Examples through Online Social Networks

  2025cites this paper
• DuDAB: A Dual-Staged, Lightweight Detection Methodology for Adversarial Attacks in a Black-Box Setting

  2025cites this paper
• EGRTE: adversarially training a self-explaining smoothed classifier for certified robustness

  2025cites this paper
• KoALA: KL-L0 Adversarial Detector via Label Agreement

  2025cites this paper
• DSADA: Detecting Spoofing Attacks in Driver Assistance Systems Using Objects’ Spatial Shapes

  2025cites this paper
• SIGuard: Guarding Secure Inference with Post Data Privacy

  2025cites this paper
• A Few Large Shifts: Layer-Inconsistency Based Minimal Overhead Adversarial Example Detection

  2025cites this paper
• Adversarial Examples Detection Based on Adversarial Attack Sensitivity

  2025cites this paper
• Securing AI Systems: A Guide to Known Attacks and Impacts

  2025cites this paper
• AugOracle: In-Capability Raw Input Validation for Deep Learning Models in Deployment

  2025cites this paper
• DASA: A Unified Defense Method Against Adversarial Sample Attacks

  2025cites this paper
• Anomaly Detection Based on Critical Paths for Deep Neural Networks

  2025influential citation
• Revisiting the Relationship between Adversarial and Clean Training: Why Clean Training Can Make Adversarial Training Better

  2025cites this paper
• MIRAGE: Microarchitectural Footprints for Detecting Adversarial Attacks in One-Shot Inference

  2025cites this paper
• Detecting Adversarial Attacks Based on Tracking Differences in Frequency Bands

  2025cites this paper
• Effective Backdoor Learning on Open-Set Face Recognition Systems

  2025cites this paper
• Keep the Lights On, Keep the Lengths in Check: Plug-In Adversarial Detection for Time-Series LLMs in Energy Forecasting

  2025cites this paper
• Lotus: Evasive and Resilient Backdoor Attacks through Sub-Partitioning

  2024cites this paper
• DeepHashDetection: Adversarial Example Detection Basedon Similarity Image Retrieval

  2024cites this paper
• Exploring the Adversarial Frontier: Quantifying Robustness via Adversarial Hypervolume

  2024cites this paper
• Model Pairing Using Embedding Translation for Backdoor Attack Detection on Open-Set Classification Tasks

  2024cites this paper
• CrossCert: A Cross-Checking Detection Approach to Patch Robustness Certification for Deep Learning Models

  2024cites this paper
• Enhancing Generalization in Few-Shot Learning for Detecting Unknown Adversarial Examples

  2024cites this paper
• CIGA: Detecting Adversarial Samples via Critical Inference Graph Analysis

  2024cites this paper
• A Novel Adversarial Example Detection Method Based on Frequency Domain Reconstruction for Image Sensors

  2024cites this paper
• Inspecting Prediction Confidence for Detecting Black-Box Backdoor Attacks

  2024cites this paper
• Toward Universal Detection of Adversarial Examples via Pseudorandom Classifiers

  2024influential citation
• BackdoorMBTI: A Backdoor Learning Multimodal Benchmark Tool Kit for Backdoor Defense Evaluation

  2024cites this paper
• Security threats to agricultural artificial intelligence: Position and perspective

  2024cites this paper
• Backdoor Attacks and Defenses Targeting Multi-Domain AI Models: A Comprehensive Review

  2024cites this paper
• DNN-GP: Diagnosing and Mitigating Model's Faults Using Latent Concepts

  2024cites this paper
• Detecting adversarial samples by noise injection and denoising

  2024cites this paper
• ViTGuard: Attention-aware Detection against Adversarial Examples for Vision Transformer

  2024influential citation
• Towards Robust Vision Transformer via Masked Adaptive Ensemble

  2024influential citation
• Dual-Branch Sparse Self-Learning With Instance Binding Augmentation for Adversarial Detection in Remote Sensing Images

  2024cites this paper
• FID: Detecting Adversarial Attacks with Feature Invariants and Applying to License Plate Recognition

  2024influential citation
• Research on Network Attack Sample Generation and Defence Techniques Based on Generative Adversarial Networks

  2024cites this paper
• DLR: Adversarial examples detection and label recovery for deep neural networks

  2024cites this paper
• Context-Aware Fuzzing for Robustness Enhancement of Deep Learning Models

  2024cites this paper
• Backdoor Online Tracing With Evolving Graphs

  2024cites this paper
• PASA: Attack Agnostic Unsupervised Adversarial Detection Using Prediction & Attribution Sensitivity Analysis

  2024cites this paper
• Robust and privacy-preserving collaborative training: a comprehensive survey

  2024cites this paper
• Robustness Optimization of Image Classification Model Based on Adversarial Training

  2024cites this paper
• Fisher Information guided Purification against Backdoor Attacks

  2024cites this paper
• LLM Whisperer: An Inconspicuous Attack to Bias LLM Responses

  2024cites this paper
• Generation and Countermeasures of adversarial examples on vision: a survey

  2024cites this paper
• How to Defend and Secure Deep Learning Models Against Adversarial Attacks in Computer Vision: A Systematic Review

  2024cites this paper
• NeuralSanitizer: Detecting Backdoors in Neural Networks

  2024cites this paper
• Improving Adversarial Robustness With Adversarial Augmentations

  2024cites this paper
• A Hybrid Sparse-dense Defensive DNN Accelerator Architecture against Adversarial Example Attacks

  2024cites this paper
• Topological safeguard for evasion attack interpreting the neural networks' behavior

  2024cites this paper
• A3Rank: Augmentation Alignment Analysis for Prioritizing Overconfident Failing Samples for Deep Learning Models

  2024cites this paper
• Detecting adversarial examples using image reconstruction differences

  2023cites this paper
• Backdoor Learning for NLP: Recent Advances, Challenges, and Future Research Directions

  2023cites this paper
• EAM: Ensemble of approximate multipliers for robust DNNs

  2023cites this paper
• BEAGLE: Forensics of Deep Learning Backdoor Attack for Better Defense

  2023cites this paper
• Physical Black-Box Adversarial Attacks Through Transformations

  2023cites this paper
• SAGE: Steering the Adversarial Generation of Examples With Accelerations

  2023cites this paper
• FAD: Fine-Grained Adversarial Detection by Perturbation Intensity Classification

  2023cites this paper
• OBSan: An Out-Of-Bound Sanitizer to Harden DNN Executables

  2023cites this paper
• Boosting Adversarial Attacks with Nadam Optimizer

  2023cites this paper
• Threats, Vulnerabilities, and Controls of Machine Learning Based Systems: A Survey and Taxonomy

  2023cites this paper
• A Halfspace-Mass Depth-Based Method for Adversarial Attack Detection

  2023cites this paper
• Adversarial Example Detection for Deep Neural Networks: A Review

  2023cites this paper
• Can Deep Networks be Highly Performant, Efficient and Robust simultaneously?

  2023cites this paper
• A Novel Semi-Supervised Adversarially Learned Meta-Classifier for Detecting Neural Trojan Attacks

  2023influential citation
• Mendata: A Framework to Purify Manipulated Training Data

  2023cites this paper
• DAAED: A Deep Autoencoder based Adversarial Example Detection Technique

  2023cites this paper
• EMShepherd: Detecting Adversarial Samples via Side-channel Leakage

  2023influential citation
• DaBA: Data-free Backdoor Attack against Federated Learning via Malicious Server

  2023cites this paper
• A lightweight unsupervised adversarial detector based on autoencoder and isolation forest

  2023cites this paper
• AGNES: Abstraction-guided Framework for Deep Neural Networks Security

  2023cites this paper
• "Get in Researchers; We're Measuring Reproducibility": A Reproducibility Study of Machine Learning Papers in Tier 1 Security Conferences

  2023cites this paper
• Interpreting Universal Adversarial Example Attacks on Image Classification Models

  2023cites this paper
• A Novel Statistical Measure for Out-of-Distribution Detection in Data Quality Assurance

  2023cites this paper
• Model Stealing Attacks On FHE-based Privacy-Preserving Machine Learning through Adversarial Examples

  2023cites this paper
• Vulnerability of Machine Learning Approaches Applied in IoT-Based Smart Grid: A Review

  2023cites this paper
• Quality Assurance of A GPT-Based Sentiment Analysis System: Adversarial Review Data Generation and Detection

  2023cites this paper
• Systemization of Knowledge: Robust Deep Learning using Hardware-software co-design in Centralized and Federated Settings

  2023cites this paper
• Unsupervised Adversarial Detection without Extra Model: Training Loss Should Change

  2023cites this paper
• AIRTAG: Towards Automated Attack Investigation by Unsupervised Learning with Log Texts

  2023cites this paper
• Django: Detecting Trojans in Object Detection Models via Gaussian Focus Calibration

  2023cites this paper
• Detection of adversarial attacks based on differences in image entropy

  2023cites this paper
• Maintaining Deep Learning Model Programs to Retain Standard Accuracy with Substantial Robustness Improvement

  2023cites this paper
• Assessing operational accuracy of CNN-based image classifiers using an oracle surrogate

  2023cites this paper
• Prompt Backdoors in Visual Prompt Learning

  2023cites this paper
• The Path to Defence: A Roadmap to Characterising Data Poisoning Attacks on Victim Models

  2023cites this paper
• A Survey on Attacks and Their Countermeasures in Deep Learning: Applications in Deep Neural Networks, Federated, Transfer, and Deep Reinforcement Learning

  2023cites this paper
• That Person Moves Like A Car: Misclassification Attack Detection for Autonomous Systems Using Spatiotemporal Consistency

  2023influential citation
• Efficient Backdoor Removal Through Natural Gradient Fine-tuning

  2023cites this paper
• GIT: Detecting Uncertainty, Out-Of-Distribution and Adversarial Samples using Gradients and Invariance Transformations

  2023cites this paper
• Attack as Detection: Using Adversarial Attack Methods to Detect Abnormal Examples

  2023cites this paper
• AI-Guardian: Defeating Adversarial Attacks using Backdoors

  2023cites this paper
• B3: Backdoor Attacks against Black-box Machine Learning Models

  2023cites this paper
• Towards an Accurate and Secure Detector against Adversarial Perturbations

  2023cites this paper
• Spatial-Frequency Discriminability for Revealing Adversarial Perturbations

  2023cites this paper
• Remote Perception Attacks against Camera-based Object Recognition Systems and Countermeasures

  2023cites this paper
• DeepPatch: Maintaining Deep Learning Model Programs to Retain Standard Accuracy with Substantial Robustness Improvement

  2023cites this paper