{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T15:47:35Z","timestamp":1753890455271,"version":"3.41.2"},"reference-count":36,"publisher":"Frontiers Media SA","license":[{"start":{"date-parts":[[2023,10,30]],"date-time":"2023-10-30T00:00:00Z","timestamp":1698624000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100006502","name":"Defense Sciences Office, DARPA","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100006502","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["frontiersin.org"],"crossmark-restriction":true},"short-container-title":["Front. Comput. Sci."],"abstract":"<jats:p>In the ever-evolving landscape of deep learning, novel designs of neural network architectures have been thought to drive progress by enhancing embedded representations. However, recent findings reveal that the embedded representations of various state-of-the-art models are mappable to one another via a simple linear map, thus challenging the notion that architectural variations are meaningfully distinctive. While these linear maps have been established for traditional non-adversarial datasets, e.g., ImageNet, to our knowledge no work has explored the linear relation between adversarial image representations of these datasets generated by different CNNs. Accurately mapping adversarial images signals the feasibility of generalizing an adversarial defense optimized for a specific network. In this work, we demonstrate the existence of a linear mapping of adversarial inputs between different models that can be exploited to develop such model-agnostic, generalized adversarial defense. We further propose an experimental setup designed to underscore the concept of this model-agnostic defense. We train a linear classifier using both adversarial and non-adversarial embeddings within the defended space. Subsequently, we assess its performance using adversarial embeddings from other models that are mapped to this space. Our approach achieves an AUROC of up to 0.99 for both CIFAR-10 and ImageNet datasets.<\/jats:p>","DOI":"10.3389\/fcomp.2023.1274832","type":"journal-article","created":{"date-parts":[[2023,10,30]],"date-time":"2023-10-30T09:00:01Z","timestamp":1698656401000},"update-policy":"https:\/\/doi.org\/10.3389\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Leveraging linear mapping for model-agnostic adversarial defense"],"prefix":"10.3389","volume":"5","author":[{"given":"Huma","family":"Jamil","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yajing","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nathaniel","family":"Blanchard","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michael","family":"Kirby","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chris","family":"Peterson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1965","published-online":{"date-parts":[[2023,10,30]]},"reference":[{"key":"B1","doi-asserted-by":"crossref","DOI":"10.1109\/CVPR.2016.173","article-title":"\u201cTowards open set deep networks,\u201d","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Bendale","year":"2016"},{"key":"B2","doi-asserted-by":"crossref","DOI":"10.1109\/CVPR.2019.00555","article-title":"\u201cA neurobiological evaluation metric for neural network model search,\u201d","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Blanchard","year":"2019"},{"key":"B3","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2207.08089","article-title":"Threat model-agnostic adversarial defense using diffusion models","author":"Blau","year":"2022","journal-title":"arXiv preprint arXiv:2207.08089"},{"key":"B4","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1902.06705","article-title":"On evaluating adversarial robustness","author":"Carlini","year":"2019","journal-title":"arXiv preprint arXiv:1902.06705"},{"key":"B5","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1912.07160","article-title":"DAmageNet: a universal adversarial dataset","author":"Chen","year":"2019","journal-title":"arXiv preprint arXiv:1912.07160"},{"key":"B6","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1904.13094","article-title":"Detecting adversarial examples through nonlinear dimensionality reduction","author":"Crecchi","year":"2019","journal-title":"arXiv preprint arXiv:1904.13094"},{"key":"B7","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2305.13651","article-title":"Adversarial defenses via vector quantization","author":"Dong","year":"2023","journal-title":"arXiv preprint arXiv:2305.13651"},{"key":"B8","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2010.11929","article-title":"An image is worth 16x16 words: Transformers for image recognition at scale","author":"Dosovitskiy","year":"2020","journal-title":"arXiv preprint arXiv:2010.11929"},{"key":"B9","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1703.00410","article-title":"Detecting adversarial samples from artifacts","author":"Feinman","year":"2017","journal-title":"arXiv preprint arXiv:1703.00410"},{"key":"B10","first-page":"4067","article-title":"\u201cThe best defense is a good offense: adversarial augmentation against adversarial attacks,\u201d","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR)","author":"Frosio","year":"2023"},{"key":"B11","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1803.03880","article-title":"Combating adversarial attacks using sparse representations","author":"Gopalakrishnan","year":"2018","journal-title":"arXiv preprint arXiv:1803.03880"},{"key":"B12","first-page":"34","article-title":"\u201cUtilizing network features to detect erroneous inputs,\u201d","volume-title":"Proceedings of the IEEE\/CVF Winter Conference on Applications of Computer Vision","author":"Gorbett","year":"2022"},{"key":"B13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3594869","article-title":"Interpreting adversarial examples in deep learning: a review","volume":"55","author":"Han","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"B14","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/IJCNN52387.2021.9533442","article-title":"\u201cSpectraldefense: detecting adversarial attacks on CNNs in the fourier domain,\u201d","volume-title":"2021 International Joint Conference on Neural Networks (IJCNN)","author":"Harder","year":"2021"},{"key":"B15","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90","article-title":"Deep residual learning for image recognition","author":"He","year":"2015","journal-title":"arXiv preprint arXiv:1512.03385"},{"key":"B16","first-page":"590","article-title":"\u201cHamming similarity and graph Laplacians for class partitioning and adversarial image detection,\u201d","volume-title":"Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Jamil","year":"2023"},{"key":"B17","doi-asserted-by":"crossref","DOI":"10.1109\/MILCOM.2018.8599691","article-title":"\u201cDetecting adversarial examples using data manifolds,\u201d","volume-title":"MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)","author":"Jha","year":"2018"},{"key":"B18","doi-asserted-by":"publisher","first-page":"102266","DOI":"10.1109\/ACCESS.2022.3208131","article-title":"Adversarial deep learning: a survey on adversarial attacks and defense mechanisms on image classification","volume":"10","author":"Khamaiseh","year":"2022","journal-title":"IEEE Access"},{"key":"B19","first-page":"991","article-title":"\u201cUnderstanding image representations by measuring their equivariance and equivalence,\u201d","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Lenc","year":"2015"},{"key":"B20","doi-asserted-by":"publisher","first-page":"177","DOI":"10.1016\/j.neunet.2023.03.008","article-title":"Learning defense transformations for counterattacking adversarial examples","volume":"164","author":"Li","year":"2023","journal-title":"Neural Netw."},{"key":"B21","doi-asserted-by":"crossref","DOI":"10.1109\/ICCV.2017.615","article-title":"\u201cAdversarial examples detection in deep networks with convolutional filter statistics,\u201d","volume-title":"Proceedings of the IEEE International Conference on Computer Vision (ICCV)","author":"Li","year":"2017"},{"key":"B22","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1805.12152","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry","year":"2017","journal-title":"arXiv preprint arXiv:1706.06083"},{"key":"B23","doi-asserted-by":"publisher","first-page":"312","DOI":"10.1016\/j.cogsys.2019.10.004","article-title":"Inception and resnet features are (almost) equivalent","volume":"59","author":"McNeely-White","year":"2020","journal-title":"Cogn. Syst. Res."},{"key":"B24","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2010.02323","article-title":"Exploring the interchangeability of CNN embedding spaces","author":"McNeely-White","year":"2021","journal-title":"arXiv preprint arXiv:2010.02323"},{"key":"B25","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1109\/TBIOM.2022.3155372","article-title":"Canonical face embeddings","volume":"4","author":"McNeely-White","year":"2022","journal-title":"IEEE Trans. Biometr. Behav. Identity Sci"},{"key":"B26","first-page":"3385","article-title":"\u201cAdversarial defense by restricting the hidden space of deep neural networks,\u201d","volume-title":"Proceedings of the IEEE\/CVF International Conference on Computer Vision","author":"Mustafa","year":"2019"},{"key":"B27","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2205.07460","article-title":"Diffusion models for adversarial purification","author":"Nie","year":"2022","journal-title":"arXiv preprint arXiv:2205.07460"},{"key":"B28","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2021.3076826","article-title":"An efficient preprocessing-based approach to mitigate advanced adversarial attacks","author":"Qiu","year":"2021","journal-title":"IEEE Trans. Comput."},{"key":"B29","first-page":"8748","article-title":"\u201cLearning transferable visual models from natural language supervision,\u201d","volume-title":"International Conference on Machine Learning","author":"Radford","year":"2021"},{"key":"B30","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474","article-title":"MobileNetV2: Inverted residuals and linear bottlenecks","author":"Sandler","year":"2019","journal-title":"arXiv preprint arXiv:1801.04381"},{"key":"B31","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1409.1556","article-title":"Very deep convolutional networks for large-scale image recognition","author":"Simonyan","year":"2015","journal-title":"arXiv preprint arXiv:1409.1556"},{"key":"B32","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1409.4842","article-title":"Going deeper with convolutions","author":"Szegedy","year":"","journal-title":"arXiv preprint arXiv:1409.4842"},{"journal-title":"Intriguing Properties of Neural Networks","year":"","author":"Szegedy","key":"B33"},{"key":"B34","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1905.11946","article-title":"EfficientNet: rethinking model scaling for convolutional neural e networks","author":"Tan","year":"2020","journal-title":"arXiv preprint arXiv:1905.11946"},{"key":"B35","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1704.01155","article-title":"Feature squeezing: Detecting adversarial examples in deep neural networks","author":"Xu","year":"2017","journal-title":"arXiv preprint arXiv:1704.01155"},{"key":"B36","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1912.11969","article-title":"Efficient adversarial training with transferable adversarial examples","author":"Zheng","year":"2020","journal-title":"arXiv preprint arXiv:1912.11969"}],"container-title":["Frontiers in Computer Science"],"original-title":[],"link":[{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2023.1274832\/full","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,10,30]],"date-time":"2023-10-30T09:00:21Z","timestamp":1698656421000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2023.1274832\/full"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,30]]},"references-count":36,"alternative-id":["10.3389\/fcomp.2023.1274832"],"URL":"https:\/\/doi.org\/10.3389\/fcomp.2023.1274832","relation":{},"ISSN":["2624-9898"],"issn-type":[{"type":"electronic","value":"2624-9898"}],"subject":[],"published":{"date-parts":[[2023,10,30]]},"article-number":"1274832"}}