{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,15]],"date-time":"2025-08-15T02:38:51Z","timestamp":1755225531069,"version":"3.43.0"},"reference-count":46,"publisher":"Frontiers Media SA","license":[{"start":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T00:00:00Z","timestamp":1755043200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["frontiersin.org"],"crossmark-restriction":true},"short-container-title":["Front. Comput. Sci."],"abstract":"Convolutional neural networks (CNNs) are vulnerable to adversarial attacks in computer vision tasks. Current adversarial detections are ineffective against white-box attacks and inefficient when deep CNNs generate high-dimensional hidden features. This study proposes MeetSafe, an effective and scalable adversarial example (AE) detection against white-box attacks. MeetSafe identifies AEs using critical hidden features rather than the entire feature space. We observe a non-uniform distribution of Z-scores between clean samples and adversarial examples (AEs) among hidden features and propose two utility functions to select those most relevant to AEs. We process critical hidden features using feature engineering methods: local outlier factor (LOF), feature squeezing, and whitening, which estimate feature density relative to its k-neighbors, reduce redundancy, and normalize features. To deal with the curse of dimensionality and smooth statistical fluctuations in high-dimensional features, we propose local reachability density (LRD). Our LRD iteratively selects a bag of engineered features with random cardinality and quantifies their average density by its k-nearest neighbors. Finally, MeetSafe constructs a Gaussian Mixture Model (GMM) with the processed features and detects AEs if it is seen as a local outlier, shown by a low density from GMM. Experimental results show that MeetSafe achieves 74%, 96%, and 79% of detection accuracy against adaptive, classic, and white-box attacks, respectively, and at least 2.3\u00d7 faster than comparison methods.<\/jats:p>","DOI":"10.3389\/fcomp.2025.1631561","type":"journal-article","created":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T13:21:21Z","timestamp":1755091281000},"update-policy":"https:\/\/doi.org\/10.3389\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["MeetSafe: enhancing robustness against white-box adversarial examples"],"prefix":"10.3389","volume":"7","author":[{"given":"Ruben","family":"Stenhuis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dazhuang","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yanqi","family":"Qiao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Manos","family":"Panaousis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kaitai","family":"Liang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1965","published-online":{"date-parts":[[2025,8,13]]},"reference":[{"key":"B1","first-page":"1","article-title":"\u201cAdversarial examples detection using no-reference image quality features,\u201d","volume-title":"International Carnahan Conference on Security Technology","author":"Akhtar","year":"2018"},{"key":"B2","doi-asserted-by":"publisher","first-page":"4403","DOI":"10.1007\/s10462-021-10125-w","article-title":"Adversarial example detection for dnn models: a review and experimental comparison","volume":"55","author":"Aldahdooh","year":"2022","journal-title":"Artif. Intellig. Rev"},{"key":"B3","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1804.03286","article-title":"On the robustness of the cvpr 2018 white-box adversarial example defenses","author":"Athalye","year":"2018","journal-title":"arXiv"},{"key":"B4","first-page":"274","article-title":"\u201cObfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,\u201d","volume-title":"International Conference on Machine Learning","author":"Athalye","year":"2018"},{"key":"B5","first-page":"552","article-title":"\u201cBetter mixing via deep representations,\u201d","volume-title":"International Conference on Machine Learning","author":"Bengio","year":"2013"},{"key":"B6","first-page":"93","article-title":"\u201cLOF: identifying density-based local outliers,\u201d","volume-title":"ACM International Conference on Management of Data","author":"Breunig","year":"2000"},{"key":"B7","doi-asserted-by":"crossref","DOI":"10.1145\/3128572.3140444","article-title":"\u201cAdversarial examples are not easily detected: bypassing ten detection methods,\u201d","volume-title":"ACM Workshop on Artificial Intelligence and Security","author":"Carlini","year":""},{"key":"B8","first-page":"39","article-title":"\u201cTowards evaluating the robustness of neural networks,\u201d","volume-title":"IEEE Symposium on Security and Privacy","author":"Carlini","year":""},{"key":"B9","first-page":"215","article-title":"\u201cAn analysis of single-layer networks in unsupervised feature learning,\u201d","volume-title":"International Conference on Artificial Intelligence and Statistics","author":"Coates","year":"2011"},{"key":"B10","first-page":"7506","article-title":"Advdrop: Adversarial attack to dnns by dropping information","volume-title":"In IEEE\/CVF International Conference on Computer Vision","author":"Duan","year":"2021"},{"key":"B11","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1703.00410","article-title":"Detecting adversarial samples from artifacts","author":"Feinman","year":"2017","journal-title":"arXiv"},{"key":"B12","article-title":"\u201cBreaking certified defenses: Semantic adversarial examples with spoofed robustness certificates,\u201d","volume-title":"International Conference on Learning Representations","author":"Ghiasi","year":"2020"},{"key":"B13","article-title":"\u201cExplaining and harnessing adversarial examples,\u201d","volume-title":"International Conference on Learning Representations","author":"Goodfellow","year":"2015"},{"key":"B14","first-page":"770","article-title":"\u201cDeep residual learning for image recognition,\u201d","volume-title":"IEEE Conference on Computer Vision and Pattern Recognition","author":"He","year":"2016"},{"key":"B15","article-title":"\u201cEarly methods for detecting adversarial images,\u201d","volume-title":"International Conference on Learning Representations","author":"Hendrycks","year":"2017"},{"key":"B16","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1910.07629","article-title":"A new defense against adversarial images: Turning a weakness into a strength","author":"Hu","year":"2019","journal-title":"arXiv"},{"key":"B17","first-page":"1","article-title":"\u201cDetection of adversarial examples in deep neural networks with natural scene statistics,\u201d","volume-title":"International Joint Conference on Neural Networks","author":"Kherchouche","year":"2020"},{"key":"B18","unstructured":"Krizhevsky\n A.\n \n \n Hinton\n G.\n \n \n Toronto, ON, Canada\n University of Toronto\n Learning Multiple Layers of Features from Tiny Images\n \n 2009"},{"key":"B19","first-page":"157","article-title":"\u201cFeature bagging for outlier detection,\u201d","volume-title":"ACM SIGKDD International Conference on Knowledge Discovery in Data Mining","author":"Lazarevic","year":"2005"},{"key":"B20","author":"Le","year":"2015","journal-title":"Tiny Imagenet Visual Recognition Challenge"},{"key":"B21","author":"LeCun","year":"1998","journal-title":"The MNIST Database of Handwritten Digits"},{"key":"B22","first-page":"31","article-title":"\u201cA simple unified framework for detecting out-of-distribution samples and adversarial attacks,\u201d","volume-title":"Advances in Neural Information Processing Systems","author":"Lee","year":"2018"},{"key":"B23","first-page":"5775","article-title":"\u201cAdversarial examples detection in deep networks with convolutional filter statistics,\u201d","volume-title":"International Conference on Computer Vision","author":"Li","year":"2017"},{"key":"B24","first-page":"3804","article-title":"\u201cAre generative classifiers more robust to adversarial attacks?,\u201d","volume-title":"International Conference on Machine Learning","author":"Li","year":"2019"},{"key":"B25","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1109\/TDSC.2018.2874243","article-title":"Detecting adversarial image examples in deep neural networks with adaptive noise reduction","volume":"18","author":"Liang","year":"2018","journal-title":"IEEE Trans. Depend. Secure Comp"},{"key":"B26","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1016\/j.media.2017.07.005","article-title":"A survey on deep learning in medical image analysis","volume":"42","author":"Litjens","year":"2017","journal-title":"Med. Image Analy"},{"key":"B27","first-page":"15315","article-title":"\u201cFrequency-driven imperceptible adversarial attack on semantic similarity,\u201d","volume-title":"IEEE\/CVF Conference on Computer Vision and Pattern Recognition","author":"Luo","year":"2022"},{"key":"B28","article-title":"\u201cCharacterizing adversarial subspaces using local intrinsic dimensionality,\u201d","volume-title":"International Conference on Learning Representations","author":"Ma","year":"2018"},{"key":"B29","doi-asserted-by":"publisher","first-page":"4695","DOI":"10.1109\/TIP.2012.2214050","article-title":"No-reference image quality assessment in the spatial domain","volume":"21","author":"Mittal","year":"2012","journal-title":"IEEE Trans. Image Proc"},{"key":"B30","first-page":"2574","article-title":"\u201cDeepfool: a simple and accurate method to fool deep neural networks,\u201d","volume-title":"IEEE Conference on Computer Vision and Pattern Recognition","author":"Moosavi-Dezfooli","year":"2016"},{"key":"B31","first-page":"4579","volume":"31","author":"Pang","year":"2018"},{"key":"B32","article-title":"\u201cCertified defenses against adversarial examples,\u201d","volume-title":"International Conference on Learning Representations","author":"Raghunathan","year":"2018"},{"key":"B33","first-page":"8764","article-title":"\u201cA general framework for detecting anomalous inputs to dnn classifiers,\u201d","volume-title":"International Conference on Machine Learning","author":"Raghuram","year":"2021"},{"key":"B34","article-title":"\u201cVery deep convolutional networks for large-scale image recognition,\u201d","volume-title":"International Conference on Learning Representations","author":"Simonyan","year":"2015"},{"key":"B35","article-title":"\u201cPixeldefend: Leveraging generative models to understand and defend against adversarial examples,\u201d","author":"Song","year":"2018","journal-title":"International Conference on Learning Representations"},{"key":"B36","article-title":"\u201cIntriguing properties of neural networks,\u201d","volume-title":"International Conference on Learning Representations","author":"Szegedy","year":"2014"},{"key":"B37","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1608.07690","article-title":"A boundary tilting persepective on the phenomenon of adversarial examples","author":"Tanay","year":"2016","journal-title":"arXiv"},{"key":"B38","doi-asserted-by":"publisher","first-page":"9877","DOI":"10.1609\/aaai.v35i11.17187","article-title":"Detecting adversarial examples from sensitivity inconsistency of spatial-transform domain","volume":"35","author":"Tian","year":"2021","journal-title":"AAAI Conf. Artif. Intellig"},{"key":"B39","first-page":"21692","article-title":"\u201cDetecting adversarial examples is (nearly) as hard as classifying them,\u201d","volume-title":"International Conference on Machine Learning","author":"Tramer","year":"2022"},{"key":"B40","first-page":"1633","article-title":"\u201cOn adaptive attacks to adversarial example defenses,\u201d","volume-title":"Advances in Neural Information Processing Systems (NeurIPS)","author":"Tramer","year":"2020"},{"key":"B41","article-title":"\u201cEvaluating the robustness of neural networks: An extreme value theory approach,\u201d","volume-title":"International Conference on Learning Representations","author":"Weng","year":"2018"},{"key":"B42","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2018.23198","article-title":"\u201cFeature squeezing: Detecting adversarial examples in deep neural networks,\u201d","volume-title":"Network and Distributed System Security Symposium","author":"Xu","year":"2018"},{"key":"B43","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1905.11475","article-title":"GAT: Generative adversarial training for adversarial example detection and robust classification","author":"Yin","year":"2019","journal-title":"arXiv"},{"key":"B44","first-page":"399","article-title":"\u201cFace recognition: a literature survey,\u201d","volume-title":"ACM Computing Surveys","author":"Zhao","year":"2003"},{"key":"B45","first-page":"1039","article-title":"\u201cTowards large yet imperceptible adversarial image perturbations with perceptual color distance,\u201d","volume-title":"IEEE\/CVF conference on Computer Vision and Pattern Recognition","author":"Zhao","year":"2020"},{"key":"B46","first-page":"31","article-title":"\u201cRobust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks,\u201d","volume-title":"Advances in Neural Information Processing Systems","author":"Zheng","year":"2018"}],"container-title":["Frontiers in Computer Science"],"original-title":[],"link":[{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2025.1631561\/full","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T13:21:28Z","timestamp":1755091288000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/fcomp.2025.1631561\/full"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,13]]},"references-count":46,"alternative-id":["10.3389\/fcomp.2025.1631561"],"URL":"https:\/\/doi.org\/10.3389\/fcomp.2025.1631561","relation":{},"ISSN":["2624-9898"],"issn-type":[{"value":"2624-9898","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,13]]},"article-number":"1631561"}}