Top

International Journal of Machine Learning and Cybernetics

Open Access 11-05-2025 | Original Article

Adversarial Examples Detection with Chaos-Based Multivariate Features

Authors: Harbinder Singh, Anibal Pedraza, Oscar Deniz, Gloria Bueno

Published in: International Journal of Machine Learning and Cybernetics

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Patentsearch

Off

Abstract

Adversarial examples (AE) pose a significant threat to the security and reliability of deep neural networks (DNNs), which are increasingly integral to various applications such as image classification, autonomous vehicles, and disease diagnostics. This article introduces a groundbreaking approach to detecting AE by leveraging chaos-based multivariate features and space-filling curves (SFC). The authors present a thorough analysis of different SFC techniques, including Hilbert, zCurve, and ZigZag, to vectorize images and extract global and local spatial features. By combining these features with the generalized alignment index (GALI) and guided filters (GF), the proposed method achieves superior detection of minute imperfections introduced by adversaries. The article also includes extensive experimental results, comparing the proposed approach with state-of-the-art detection methods across multiple datasets and adversarial attacks. The findings demonstrate the robustness and efficiency of the proposed framework, making it a valuable contribution to the field of adversarial detection and cybersecurity.

AI Generated

This summary of the content was generated with the help of AI.

A. Pedraza, O. Deniz, and G. Bueno these authors have contributed equally to this work.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

1 Introduction

Deep neural networks (DNNs) have seen major advancements and have shown excellent performance in numerous fields, including image classification [1], autonomous vehicles [2], voice recognition [3], disease diagnostics [4] and natural language processing [5]. Numerous DNN-based applications are becoming increasingly vital to daily life, which raises serious safety and security issues. Recent studies reveal that adversarial examples (AE) pose a serious threat to DNNs while having achieved considerable success in many applications [6]. With little perturbations that are imperceptible to humans, these data can readily deceive a well-performing deep learning (DL) model.

Szegedy et al. [7] attempted for the first time to apply a barely visible perturbation to the legitimate input image leading to what has been termed to as an adversarial example. According to various reports, AE sometimes produces output that is uncommon or never observed in test data sets [6]. In order to deceive modern DNNs, an adversary can apply tiny perturbations $\delta X$ to its test image X [8]. For the so-called un-targeted attack, $\delta X$ is computed to minimize the following cost function so that changes the prediction from the original class f(X) to a different class $f(X+\delta X)$:

$$\begin{aligned} X' = X + \arg \min _{\delta X} \{||\delta X|| \;\; s.t. \;\; f(X+\delta X) \ne f(X) \} \end{aligned}$$

(1)

In targeted attacks, the input image is transformed using this cost function with the restriction that the AE must alter the predicted class to a pre-selected erroneous class, $f(X+\delta X) = f(Y)$, where $f(Y) \ne f(X)$.

Recently, a number of representative methods based on gray-box, white-box, and black-box threat models [9, 10] for producing AE have been put forth, such as DeepFool attack (DA), Projected Gradient Descent (PGD), Fast Gradient Sign Method (FGSM), Universal attack (UA), Boundary attack (BA) [11], HopSkipJump (HA) [12] and Elastic-Net Attacks (EAD) [13]. Therefore, it is crucial to have a mechanism that can identify these malicious inputs and stop them from moving forward in workflows for sensitive systems.

Meanwhile, research is also being conducted on defense mechanisms aim to find these tiny alterations and indicate potentially harmful images [14]. In general, various defense methods have been effectively utilized in the detection of AE, which can be divided into model-specific defense and model-agnostic defense categories. A model-specific defense mechanism known as a heuristic defense, i.e. adversarial training (AT) [15] is one that works well to ward off certain attackers while having no theoretical accuracy guarantees and is suitable for a specific attack category. AT attempts to improve the DL model’s robustness by incorporating adversarial samples into the training stage. Recently, various model-agnostic defense mechanisms have been developed that aim to generalize to other types of perturbations and explore transferability within and between various classes of ML classifier mechanisms [16]. With the trade-off of poor classification performance due to the loss of crucial features, several approaches employ various pre-processing operations [17] to reduce the impact of perturbations in the input image domain. De-noising image classifiers are one method now being utilized to fight the problem of adversarial attacks, while preserving the important features needed for classification. In this respect, researchers have come up with a technique to recover the ground truth from data that has been tampered by the adversary [18].

Making pre-detection and filtering mechanisms that alert users to inputs that may be potentially adversarial is another fascinating strategy that appears in the research on AE defense [19, 20]. For instance, Metzen et al. [21] proposed a technique for doing inference that uses binary classification to distinguish between legit image and image with adversarial perturbations. They used a separate sub-network called detector that undergone training for the binary classification task. Subset scanning (SuS) [22] and Autoencoder detection (AuE) [23] are two further, closely related pre-detection based defense mechanisms. The SuS approach detects anomalous patterns of the neural networks (NN). It identifies anomalous input of neural networks for AE detection based on scoring function driven by non-parametric scan statistics (NPSS) [24]. In the AuE approach, Kullback Leibler divergence based model dependent loss function was used to train the machine learning classifier. An instance and its symmetric counterpart are flagged using the adversarial score, which is based on the discrepancy between the classifier’s prediction distributions.

2 Background

Prabhu et al. [25] had the idea of training a one-class classifier to determine if the input sample is legitimate or adversarial using computed features based on chaos theory. For the first time, they demonstrated the viability of applying Lyapunov exponents (LEs), which were estimated using the images’ flattened 1-D vector representations using traditional row-wise raster scanning-based space-filling curve (R-LE). Based on the well-known fact that positive values in the first LEs are a strong indicator of chaos, they trained an isolation forest classifier (IFC) [26] on the first four LEs to detect adversarial images. Then, [27] expanded on this work with an emphasis on extracting the LEs from the networks rather than the input images, as this approach was more consistent with AE detection. In a way that is closely linked to the chaos theory-based methods stated above, Oscar et al. [28] further developed the work by generating LEs and spatial features from 1-D vector representations in column-wise raster scanning-based space-filling curve (RC-LE), which improved the capacity to identify chaos.

Due to the sensitivity to initial condition and presence of noise in the recorded time-series, positive LEs, by themselves, do not always indicate chaos [29]. Additionally, how we flatten the image has a significant impact on computation of LEs and local features for chaos detection [25, 30]. However, this requires comprehensive studies on vectorization based on SFC that map images from 2-D space onto 1-D space for chaos detection. Peano et al. [31] introduced the first SFC, then Hilbert et al. [32] modified it to improve the spatial proximity of SFC which is known as Hilbert SFC henceforth H-SFC. The zCurve SFC henceforth zC-SFC [33] and the ZigZag SFC henceforth Z-SFC are other versions including traditional row-wise SFC henceforth R-SFC. Figure 1 illustrates four possible distinct SFC based vectorization techniques that are evaluated in the present approach.

Fig. 1

Depiction of possible distinct SFC based vectorization techniques

To bridge the research gaps mentioned above, constructing feature vector based on efficient criterion for chaoticity detection and vectorization is needed. Motivated by these studies, the key contributions of the proposed mechanism (see Fig. 2) in this article are listed as follows:

To the best of our knowledge, we are pioneering the study of the problem of creating a 1-D vector from a 2-D space using SFC for chaos detection. We present a thorough analysis of a spatial proximity of SFC in chaos detection approach that outperforms other conventional SFC methods previously used.

By crafting global features that are based on the generalized alignment index (GALI) [34], we prevent false-alarms when the input images are legit. We show that GALI-based features can distinguish between chaotic behavior and non-chaotic activity with great clarity when applied on the AE and legit samples, respectively.

To strengthen the AE detection process, we also include the spatial features (SFs) computed from a guided filter (GF) [35]. Due to the spatial proximity aspect of SFC-based vectorization, two close pixels in 1-D space are likewise close in 2-D space, and we show that this aids in modeling the SFs of an image and obviously detects minute imperfections produced by the adversary.

Fig. 2

The proposed adversarial examples detection framework

The rest of this paper is organized as follows. A comprehensive analysis of a locality-preserving property of SFC in the proposed chaos detection approach is given in Sect. 2. In Sect. 2, we provide a description of the global and local spatial feature extraction mechanism based on GALI and GF, respectively. The experimental results are discussed in Sect. 3. Finally, the conclusion and future scope is summarized in Sect. 4.

3 Proposed method

In this section, we go through the specifics of the feature extraction approach developed. The main goal of our AE detection approach, as depicted in Fig. 2, is to extract features from vectorized images using chaos theory and GF. Specifically, we first analyze the impact of spatial-proximity of SFC on global and local features. Then, to distinguish between AE and legitimate samples, we develop a mechanism based on multivariate features that are randomly selected by the trained IFC classifier.

3.1 Estimation of GALI Features

Assume that there is a finite time time-series $x \in X$, obtained from a discrete m-dimensional SFC by bijective mapping function $F: [X^m]\longrightarrow [x]^m$ such that $d(F(i),F(i+1))=1$ for all $i \in [X^{m}-1]$ [32]. Here d() represents the Euclidean metric. The mapping function F exploits spatial correlation to maintain spatial proximity so that two close pixels in x are likewise close in X.

In chaos theory, evaluation of the maximal Lyapunov exponent (MLE) $\lambda _{i}$ [36], is the technique most frequently used to distinguish between order and chaos: if $\lambda _{1}>0$ the orbit is chaotic. For a given finite length time-series x, the MLE is computed as follows:

$$\begin{aligned} \lambda _{i}= \lim _{n\rightarrow \infty } \frac{1}{n}{\sum _{i=0}^{n-1} \ln |f^{'}(x_{i})}| \end{aligned}$$

(2)

Recently, some authors have suggested that because of dependency on initial conditions and presence of white noise in x, the MLE on its own is not able to distinguish between a chaotic and a non-chaotic process [29, 37]. We show evidence of this in Fig. 3, which shows that the presence of one positive MLE does not always indicate that a given time-series contains chaos due to perturbation. We can see that, in addition to the positive value of $\lambda _{1}$ for AE, the value of $\lambda _{1}$ is often positive for legitimate images. Therefore, a robust measure based on establishing the relationship between LEs is required for detecting chaoticity caused by perturbation in a time-series x obtained from the SFC.

Fig. 3

A doughnut chart depicting the evaluation of MLE computed across 500 legitimate images of MNIST [38] dataset

Fig. 4

Influence of SFC on GALI features extracted from 500 AE and corresponding legit images that were randomly selected from MNIST [38] dataset. The AE were produced using the FGSM attack with $\epsilon =0.3$. Best viewed in color

The GALI provides a relationship among LEs to estimate the exponential divergence of neighboring orbits for chaos detection [34]. The GALI of order k is defined as the norm of the exterior product of the k unit deviation vectors $\overrightarrow{{\nu }_{1}}, \overrightarrow{{\nu }_{2}},...,\overrightarrow{{\nu }_{k}}$ for $2 \le k \le 2N$, and can be defined as the norm of the exterior product of unit deviation vectors as follows at discrete time n:

$$\begin{aligned} GALI_{k} (n)= \parallel \widehat{{\nu }}_{1}(n) \wedge \widehat{{\nu }}_{2}(n) \wedge ...\wedge \widehat{{\nu }}_{k}(n) \parallel \end{aligned}$$

(3)

where the $(^)$ denotes unit magnitudes of deviation vectors. After computing the k Lyapunov exponents $\lambda _{1}, \lambda _{2},...,\lambda _{k}$, $GALI_{k} (n)$ can be defined as:

$$\begin{aligned} GALI_{k} (n)\propto e^{{-[(\lambda _{1}-\lambda _{2})+(\lambda _{1}-\lambda _{3})+...+(\lambda _{1}-\lambda _{k})]n}} \end{aligned}$$

(4)

Considering first four LEs $(\lambda _{1},\lambda _{2},\lambda _{3},\lambda _{4})$, ${GALI_{4}}$ [39] is given by:

$$\begin{aligned} GALI_{4} (n)\propto e^{{-(3\lambda _{1}-\lambda _{2}-\lambda _{3}-\lambda _{4})n}} \end{aligned}$$

(5)

The underlying assumption of our method is that a classifier learns a mapping function that is generic enough to differentiate GALI feature extracted from perturbed image and its corresponding legit images. Indeed, valuable features that are separable from non-robust ones are adequate to reveal the presence of perturbation. Any non-robust feature becomes uncorrelated with the valuable feature when there is a perturbation, creating an adversarial vulnerability. In Fig. 4, the red circle points are ${GALI_{4}}$ feature of AE that have been perturbed by the FGSM attack with $\epsilon =0.3$, while the blue circle points are ${GALI_{4}}$ feature of legit images. It can be seen in all of these projections that, with the exception of R-SFC, ${GALI_{4}}$ feature remains distinctly robust. The distribution of GALI features for legitimate examples is relatively low, whereas for AE, it is high, indicating a clear distinction between the two. Notably, zC-SFC, Z-SFC, and H-SFC effectively detect perturbations added to normal examples by adversarial attacks. zC-SFC and H-SFC are particularly effective, detecting adversarial perturbations where GALI feature values are higher than 0.3 in most cases, compared to Z-SFC and R-SFC. By integrating GALI features with SFs extracted using H-SFC, as discussed in the forthcoming subsections, the multivariate features detection method achieves improved detection results for AE.

3.2 Estimation of SFs based on edge-preserving filter

Due to the fact that AE are created by perturbing the source images with noise, small changes in the pixel space produce extremely significant noise in the feature space. Moreover, the adversarial image’s feature maps are active throughout semantically irrelevant regions, in contrast to the clean image’s features, which tend to concentrate largely on the image’s semantically informative regions like strong edges [40]. DNNs may be successfully fooled despite the fact that AE and legit images seem visually indistinguishable. DNNs are therefore capable of picking up on such minute variations which are added by the adversary. Therefore, it makes sense to wonder if we can tell the difference between AE and legit images by using these minute variations. Our investigation’s findings indicate that the answer is indeed positive (see Fig. 5).

Fig. 5

Influence of SFC on SFs extracted from 500 AE and corresponding legit images that were randomly selected from MNIST [38] dataset. For illustration purpose, the mean value of the N features that were calculated across each image is displayed. The AE were produced using the FGSM attack with $\epsilon =0.3$. Best viewed in color

Motivated by residual learning [41], we believe that utilizing the edge-preserving property of GF to predict a residual can help us better understand the behavior of the perturbation added by the adversary. The GF can smooth out noise while retaining sharp edges [35, 42]. In a conceptual sense, a test image is made up of foreground and background layers, respectively, that contain significant features and perturbations produced by the adversary. By using a guidance image, GF directs the filtering process through a local linear model to find relationships among pixels. In our scenario, the test image $X^{'}$ serves as a guide image G, which implies that significant features inside the local window $\omega$ are anticipated to be well retained while background perturbations are smoothed out in the filtered output O. This bottleneck aids in the identification of perturbation required to differentiate between off-the-manifold and on-the-manifold features that belong to AE and legit images, respectively.

From Eq. 1, let $x^{'} \sim x$ denote that the AE was generated by adding the perturbation $x^{'} = x + r$, where $r \simeq {\delta x}$ refers to the perturbation or noise added by the adversary. Lowercase represents the time-series obtained from SFC. For a given discrete test time-series $x^{'}$ and guidance time-series g, the filtered output o within $\omega$ having a size of $(2s+1)$ can be computed as follows:

$$\begin{aligned} o_{i}=a_{k}g_{i}+b_{k}; \quad {\forall }_{i}\in \omega _{k} \end{aligned}$$

(6)

where $a_{k}$ and $b_{k}$ are the linear coefficients which are calculated by minimizing the following cost function $E(\cdot )$ [35]:

$$\begin{aligned} E(a_{k},b_{k})=\sum _{{i}\in \omega _{k}} [(a_{k}g_{i}+b_{k}-x^{'}_{i})^{2}]+\Upsilon a_{k}^{2}; \end{aligned}$$

(7)

where $\Upsilon$ is the user defined regularization parameter to maintain stability of the whole. In our approach, SFs are computed inside a local window $\omega$ of size ($1\times 3$), with $s = 1$ as a default option.

In Eq. 7, the values of $a_{k}$ and $b_{k}$ are computed by linear regression [43]:

$$\begin{aligned} a_{k}=\frac{\frac{1}{|\omega |}\sum _{{i}\in \omega _{k}}g_{i}x^{'}_{i}-\mu _{k}\overline{x^{'}}_{k}}{\sigma _{k}^{2}+\Upsilon }; b_{k}= \overline{x^{'}}_{k}-a_{k}\mu _{k} \end{aligned}$$

(8)

Note that, in our perturbation detection approach $g \equiv x^{'}$, and in this case, the two constants in Eq. 8 can be expressed as:

$$\begin{aligned} a_{k}=\frac{\sigma _{k}^{2}}{\sigma _{k}^{2}+\Upsilon }; \quad b_{k}= (1-a_{k})\mu _{k} \end{aligned}$$

(9)

In Eq. 7, the values of $a_{k}$ and $b_{k}$ are varying locally as they are calculated across different $\omega _{k}$ containing pixel i. In order to increase the stability of the values of $a_{k}$ and $b_{k}$, it is required to average the equivalent values acquired in all windows $\omega _{k}$ containing pixel i. Therefore, the final filtered output o can be computed from the average coefficients $\overline{a}_{k}$ and $\overline{b}_{k}$ as follows:

$$\begin{aligned} o_{i}=\overline{a}_{k}g_{i}+\overline{b}_{k}; \quad {\forall }_{i}\in \omega _{k} \end{aligned}$$

(10)

Then, spatial features $SF_{i}$ could be derived as follows:

$$\begin{aligned} SF_{i}=\ln (|x_{i}^{'}-o_{i}|+1), \quad 1\le i \le N \end{aligned}$$

(11)

In Eq. 11, $x_{i}^{'}-o_{i}$ corresponds to the residual or perturbation extracted from the test sample, and the parameter N depends upon the width and height of the test image. The following two cases describe how the GF distinguishes between robust features and perturbations:

Case 1: “Significant features.” High variance within $\omega _{k}$ corresponds to the presence of robust features, which will yield $\sigma _{k}^{2} \gg \Upsilon$, so ${a}_{k}\approx 1$ and ${b}_{k}\approx 0$. Therefore, significant features that belong to the foreground are preserved and do not exist in the residual layer.

Case 2: “Perturbations.” Low variance within $\omega _{k}$ corresponds to the existence of perturbations, which will yield $\sigma _{k}^{2} \ll \Upsilon$, so ${a}_{k}\approx 0$ and ${b}_{k}\approx \mu _{k}$. Therefore, these minute variations that belong to the background are filtered and do exist in the residual layer.

More specifically, the parameter $\Upsilon$ determines the presence or absence of a perturbation in the test image. The evolution of the SFs extracted by the GF is illustrated in Fig. 5, demonstrating that SFs extracted from 500 legit images and corresponding AE utilizing various SFC still remain distinct and discernible. In order to check the influence of $\Upsilon$, we evaluated the performance against the FGSM attack on MNIST, Fashion-MNIST (FMNIST), and CIFAR-10 datasets. Figure 6 shows the impact of $\Upsilon$ on ACC. The performance analysis is based on arithmetic mean (AM) and average standard deviation (ASTD) of the ACC calculated across a set of 5-trials conducted under identical conditions. All trials in this performance analysis use H-SFC based vectorization due to its consistent performance across all datasets. The H-SFC vectorization in the suggested technique uses a $32 \times 32$ grid size across all datasets. For FMNIST and CIFAR-10 datasets, as we increase $\Upsilon$ the variations are found in the ACC till 0.03 and after the first nine iterations, performance becomes almost stable. The value of ACC, on the other hand, is saturated for MNIST at $\Upsilon =0.001$ and remains stable after $\Upsilon =0.003$. Moreover, the maximum ASTD in stable zones of all datasets is $\pm 0.0245$. To be more precise, for the FMNIST and CIFAR-10 datasets, any value of $\Upsilon$ greater than 0.03 can be chosen in order to attain a high value of ACC and the maximum $\Upsilon$ value is restricted to 0.1.

Fig. 6

Sensitivity analysis of the free parameter: impact of $\Upsilon$ on ACC for FGSM attack in the MNIST [38], FMNIST [44] and CIFAR-10 [45] datasets using H-SFC vectorization

As depicted in Fig. 2, we use these SFs combined with GALI features to distinguish between AE and normal examples. According to the quantitative analysis depicted in Fig. 6, any $\Upsilon$ value larger than zero improves the performance of the AE detection algorithm. It should be noted that with $\Upsilon =0$, only the GALI feature is effectively utilized for AE detection. On the other hand, based on multivariate features, the IFC aims to learn a mapping function $C: \mathbb {X}\rightarrow \{-1,1\}$ to predict whether the input sample is $X^{'}$ or X, where $\mathbb {X}$ is the set of all test samples. If the feature vector obtained from the combined multivariate features is off-the-manifold, then the detector flags it $X^{'}$ otherwise X. A pseudocode of the proposed approach is given in Algorithm 1.

Algorithm 1

Pseudocode of AE Detection Based on Multivariate Features

4 Experiments and results

In this section, we compare the performance of different AE detection methods on 7 types of attacks and provide suggestions for the SFC that will work the best in place of the conventional raster scanning. We evaluate our proposed SFC based methods and compare them with four state-of-the-art adversarial detection methods: SuS [22], AuE [23], R-LE [25] and RC-LE [28]. 5-trials were taken into account to assess the robustness of the ACC and Area Under the Curve (AUC) with respect to AM and ASTD on the MNIST, FMNIST, and CIFAR-10 datasets. Despite being trained explicitly for each dataset, the model architecture stayed the same for all cases to maintain consistency among tests. The parameter settings used for the networks, SFC and attacks used in this article are shown in Table 1.

Table 1

Parameter settings used for the networks, SFC and attacks

Name	Parameters set
NN	06 convolution blocks; $3 \times 3$ kernel size with 32, 64 and 128 filters; 10 epochs; rectified linear unit (ReLU) activation; max pooling with $2 \times 2$ kernel size; 0.4 dropout
SFC	H-SFC: $32 \times 32$ grid size
BA	0.01 delta; 0.01 epsilon; 0.667 step size; 100 iterations; 25 number of trial
EAD	0.01 beta; 0.01 learning rate; 1000 iterations; 0.001 trade-off constraint fast iterative shrinkage-thresholding algorithm (FISTA); 9 binary search steps; ElasticNet decision rule
PGD	0.3 epsilon; 10 iterations; $L_\infty$ norm
UA	0.2 delta; 20 iterations; 10.0 epsilon
HA	500 number of model evaluations; 10 iterations
DA	0.02 overshoot; 50 iterations
FGSM	0.3 epsilon; $L_\infty$ norm

For the MNIST datasets (see top row Fig. 7), Z-SFC outperforms other AE detection techniques with low ASTD in the majority of attacks in terms of ACC. The maximum ASTD value achieved by Z-SFC is $\pm 0.0057$. With a low ACC value as a trade-off, SuS technique has the lowest ASTD value in all cases. Additionally, zC-SFC, H-SFC, and S-SFC performed well, with the exception of EAD, with more than $97\%$ AUC for most of the attacks. With an AUC of more than $94\%$ and low ASTD value, Z-SFC surpasses all other approaches against all attacks. Additionally, it should be noted that Z-SFC and zC-SFC, when compared to BA, PGD, UA, and FGSM, achieve the lowest value of ASTD of $\pm 0$. With the exception of EAD, the performance of H-SFC based AE detection is consistent with $99\%$ AUC.

Fig. 7

Comparative analysis of proposed SFC based methods and four state-of-the-art AE detection methods on MNIST [38], FMNIST [44] and CIFAR10 [45] datasets. Best viewed in color

In the case of FMNIST datasets (see second row Fig. 7), RC-LE base AE detection approach outperforms with more than $98\%$ (${\le }{\pm 0.008}$) ACC in PGD, UA and FGSM. In contrast, H-SFC has ACC in PGD, UA, and FGSM that is more than $90\%$ (${\le }{\pm 0.019}$) and $94\%$ (${\le }{\pm 0.012}$), respectively. Beside this, we can notice that the performance of S-SFC and Z-SFC are close to $91\%$ (${\le }{\pm 0.014}$) and $90\%$ (${\le }{\pm 0.026}$), respectively. This suggests that AE detection based on SFC yields satisfactory performance in PGD, UA and FGSM. In EAD and HA, zC-SFC has performed well as compared to other approaches. Similar to MNIST datasets, the performance of the proposed AE detection approaches in BA yield very good performance. In particular, the conventional S-SFC and H-SFC yield ACC values of $89.6\%$ ($\pm 0.02$) and $87.4\%$ ($\pm 0.008$), respectively. In DA, the performance of proposed approaches are better than AuE, SuS and R-LE, which offered encouraging evidence for the viability of our AE detection strategy. In terms of AUC, H-SFC outperforms in PGD, UA and FGSM with $100\%$ ($\pm 0$) performance. Furthermore, H-SFC performs best in DA with $94\%$ ($\pm 0.01$) AUC. It can be observed that in BA and HA, zC-SFC outperforms with $97.2\%$ ($\pm 0.008$) and $90.8\%$ ($\pm 0.02$). Additionally, zC-SFC in EAD has the highest performance with $71.5\%$ in terms of AUC but a higher value of ASTD, i.e. $\pm 0.04$.

On CIFAR-10 dataset, Fig. 7 bottom row compares SFC based approaches with four state-of-the-art AE detection techniques that includes AuE, SuS, R-LE and RC-LE. We can observe that, with the exception of PGD and DA, H-SFC surpasses other approaches in terms of ACC. While H-SFC is the top performer among the SFC implemented in this study, its performance is comparable to that of RC-LE with an ACC of $89.4\%$ ($\pm 0.018$). Despite the fact that H-SFC outperforms all other SFC implemented in this study in terms of ACC, its performance of $87.4\%$ ($\pm 0.021$) puts it closer to RC-LE in the PGD, which is the best. In addition to that, it is evident that the H-SFC performs poorly on the DA.

In terms of AUC H-SFC achieves the greatest outcomes in PGD, UA, and FGSM with more than $99\%$ (${\le }{\pm 0.007}$). Additionally, when compared to other approaches, the performance of H-SFC in BA, EAD and HA is excellent. The performance of H-SFC in terms of AUC is subpar in DA, much like ACC. As a result, the EAD attack, one of the seven adversarial attacks evaluated in this paper, exhibits significant resilience to the majority of AE detection techniques, whereas the H-SFC based AE detection strategy consistently outperformed others. In this paper, all adversarial attacks are implemented in python using Adversarial Robustness Toolbox (ART) [46].

Since the proposed AE detection approach is model-agnostic, we calculated the computational time by considering the feature extraction time and inference time of the IFC. Table 2 presents the average times taken by a single image for all three datasets, averaged over 5-trials using the HSFC implementation. The trials were conducted with a 32 $\times$ 32 grid size for TS representation. For feature extraction, 4 LEs were used for GALI feature extraction and SFs with a local window size of (1$\times$3). The models were trained on a Linux machine running Ubuntu 14.0, equipped with an NVIDIA GeForce RTX 3070 GPU. Note that the method is computationally efficient, providing a strong mechanism to effectively detect AEs with low computation time. The average total detection time over 5-trials for a single image across all three datasets is 0.761 s, which includes feature extraction and inference time.

Table 2

the average time (in seconds) taken to run experiments on the MNIST, FMNIST, and CIFAR-10 datasets over 5-trials.$T_{t}$ represents the total time taken by the algorithm per image, including feature extraction and inference of the IFC. $T_{c}$ is the time taken by the IFC to classify whether the input image is a legitimate sample or an AE. $T_{f}$ is the time taken for feature extraction of a single image

Dataset	$T_{f}$	$T_{c}$	$T_{t}$
MNIST	0.813	0.036	0.849
FMNIST	0.624	0.037	0.661
CIFAR-10	0.736	0.036	0.772
Average	0.725	0.036	0.761

4.1 Impact of perturbation level

It is essential to objectively and meaningfully evaluate robustness of the proposed approach against fluctuation in noise amount $\epsilon$ due to the unpredictable nature of the perturbation level introduced by the adversary. In this subsection, the influence of $\epsilon$ to the ACC with MNIST, FMNIST and CIFAR-10 datasets is analyzed, which is illustrated in Fig. 8. All other parameters are kept constant while employing H-SFC vectorization to examine the impacts of $\epsilon$. Here, we hypothesise that the suggested strategy would produce $100\%$ ACC at the lowest degree of perturbation $\epsilon =0$. From illustration, we can notice that the influence of $\epsilon$ on the ACC value during AE detection in the MNIST dataset is minimal. As the level of perturbation rises, the ACC value remains practically constant. The maximum ASTD in stable zones of MNIST datasets is $\pm 0.016$. For the FMNIST and CIFAR-10 datasets, there are some performance variations, with a maximum ASTD value of $\pm 0.029$ with 5-trials. This indicates that the performance is consistent regardless of perturbation level. Thus, no matter which $\epsilon$ value is chosen by the adversary, the suggested AE detection approach performs consistently well in these three datasets.

Fig. 8

Impact of $\epsilon$ on ACC with 5-trials for FGSM attack in the MNIST [38], FMNIST [44] and CIFAR-10 [45] datasets using H-SFC vectorization

5 Conclusion and future work

In this paper, we suggested multivariate features based AE detection approach utilizing SFC. We demonstrated the two close pixels in 1-D space are likewise close in 2-D space due to the spatial proximity aspect of SFC based vectorization, which aids in modeling the SF and GALI features of an image and obviously detects minute imperfections introduced by the adversary. The features extracted using chaos detection and GF offered encouraging evidence for the viability of our AE detection mechanism. The suggested approaches based on SFC have performed better in terms of quantitative analysis. Additionally, we discovered that among all applied SFC-based techniques, the H-SFC approach significantly improves the performance of AE detection mechanisms. This work could enhance the performance of defensive systems against AE, which has significant implications for the use of DNN in several fields, including security.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Our product recommendations

ATZelectronics worldwide

ATZlectronics worldwide is up-to-speed on new trends and developments in automotive electronics on a scientific level with a high depth of information.

Order your 30-days-trial for free and without any commitment.

inform now

ATZelektronik

Die Fachzeitschrift ATZelektronik bietet für Entwickler und Entscheider in der Automobil- und Zulieferindustrie qualitativ hochwertige und fundierte Informationen aus dem gesamten Spektrum der Pkw- und Nutzfahrzeug-Elektronik.

Lassen Sie sich jetzt unverbindlich 2 kostenlose Ausgabe zusenden.

inform now

Krizhevsky A, Sutskever I, Hinton GE (2017) Imagenet classification with deep convolutional neural networks. Commun. ACM 60(6):84–90CrossRef

Martínez-Díaz M, Soriguera F (2018) Autonomous vehicles: theoretical and practical challenges. Transportation Research Procedia 33:275–282. XIII Conference on Transport Engineering, CIT2018

Radford A, Kim JW, Xu T, Brockman G, McLeavey C, Sutskever I (2022) Robust speech recognition via large-scale weak supervision. arXiv preprint arXiv:2212.04356 [eess.AS]

Tang H, Hu Z (2020) Research on medical image classification based on machine learning. IEEE Access 8:93145–93154. https://doi.org/10.1109/ACCESS.2020.2993887CrossRef

Sutskever I, Vinyals O, Le QV (2014) Sequence to sequence learning with neural networks. arXiv preprint arXiv:1409.3215

Long T, Gao Q, Xu L, Zhou Z (2022) A survey on adversarial attacks in computer vision: Taxonomy, visualization and future directions. Comput Security 121:102847CrossRef

Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199

Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. International Conference on Learning Representations (ICLR)

Liu Y, Chen X, Liu C, Song D (2017) Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770

10.

Papernot N, McDaniel P, Goodfellow I (2016) Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277

11.

Brendel W, Rauber J, Bethge M (2017) Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. arXiv preprint arXiv:1712.04248

12.

Chen J, Jordan MI, Wainwright MJ (2020) HopSkipJumpAttack: A query-efficient decision-based attack. In: 2020 IEEE Symposium on Security and Privacy (sp), pp. 1277–1294. IEEE

13.

Akhtar N, Mian A, Kardan N, Shah M (2021) Advances in adversarial attacks and defenses in computer vision: A survey. IEEE Access 9:155161–155196. https://doi.org/10.1109/ACCESS.2021.3127960CrossRef

14.

Hashemi AS, Mozaffari S (2019) Secure deep neural networks using adversarial image generation and training with noise-gan. Comput Security 86:372–387CrossRef

15.

Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2017) Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204

16.

Blau T, Ganz R, Kawar B, Bronstein A, Elad M (2022) Threat model-agnostic adversarial defense using diffusion models. arXiv preprint arXiv:2207.08089 [cs.CV]

17.

Mustafa A, Khan SH, Hayat M, Shen J, Shao L (2020) Image super-resolution as a defense against adversarial attacks. IEEE Transact Image Process 29:1711–1724MathSciNetCrossRef

18.

Samuel H, Fazle K, Houshang D (2021) Generating adversarial samples on multivariate time series using variational autoencoders. IEEE/CAA J Automatica Sinica 8(9):1523–1538CrossRef

19.

Grosse K, Manoharan P, Papernot N, Backes M, McDaniel P (2017) On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 [cs.CR]

20.

Feinman R, Curtin RR, Shintre S, Gardner AB (2017) Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410 [stat.ML]

21.

Metzen JH, Genewein T, Fischer V, Bischoff B (2017) On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267

22.

Speakman S, Sridharan S, Remy S, Weldemariam K, McFowland E (2018) Subset scanning over neural network activations. arXiv preprint arXiv:1810.08676 [cs.LG]

23.

Vacanti G, Looveren AV (2020) Adversarial detection and correction by matching prediction distributions. arXiv preprint arXiv:2002.09364 [cs.LG]

24.

Em III, Speakman S, Neill DB (2013) Fast generalized subset scan for anomalous pattern detection. J Mach Learning Res 14(12):1533–1561MathSciNetMATH

25.

Prabhu VU, Desai N, Whaley J (2017) On Lyapunov exponents and adversarial perturbation. Deep Learning Security Workshop (Singapore)

26.

Liu FT, Ting KM, Zhou Z-H (2008) Isolation forest. In: 2008 Eighth IEEE International Conference on Data Mining, pp. 413–422. https://doi.org/10.1109/ICDM.2008.17

27.

Pedraza A, Deniz O, Bueno G (2022) Lyapunov stability for detecting adversarial image examples. Chaos, Solitons Fractals 155:111745CrossRef

28.

Deniz O, Pedraza A, Bueno G (2022) Detecting chaos in adversarial examples. Chaos, Solitons Fractals 163:112577MathSciNetCrossRef

29.

Fernández-Rodríguez F, Sosvilla-Rivero S, Andrada-Félix J (2005) Testing chaotic dynamics via Lyapunov exponents. J Appl Econom 20(7):911–930MathSciNetCrossRef

30.

Anibal P, Oscar D, Gloria B (2020) Approaching adversarial example classification with chaos theory. Entropy 22(11):1201MathSciNetCrossRef

31.

Peano G (1980) Sur une courbe, qui remplit toute une aire plane. IEEE Transact Image Process 36(1):157–160MathSciNetMATH

32.

Hilbert D (1935) Über die stetige abbildung einer linie auf ein flächenstück. Dritter Band: Analysis$\cdot$ Grundlagen der Mathematik$\cdot$ Physik Verschiedenes: Nebst Einer Lebensgeschichte, 1–2

33.

Tropf H, Herzog H (1981) Multimensional range search in dynamically balanced trees. Angew Inform 23:71–77

34.

Skokos C, Bountis TC, Antonopoulos C (2007) Geometrical properties of local dynamics in hamiltonian systems: The generalized alignment index (GALI) method. Physica D: Nonlinear Phenomena 231(1):30–54MathSciNetCrossRefMATH

35.

He K, Sun J, Tang X (2010) Guided image filtering. In: Daniilidis K, Maragos P, Paragios N (eds) Comput Vision - ECCV 2010. Springer, Berlin, Heidelberg, pp 1–14

36.

Goldsmith M (2009) The maximal Lyapunov exponent of a time series. A Thesis in The Department of Computer Science, Concordia University, Montreal, Canada

37.

Bask M, Gençay R (1998) Testing chaotic dynamics via Lyapunov exponents. Physica D: Nonlinear Phenomena 114(1):1–2MathSciNetCrossRefMATH

38.

Bottou L, Cortes C, Denker JS, Drucker H, Guyon I, Jackel LD, Le Cun Y, Muller UA, Säckinger E, Simard P, Vapnik V (1994) Comparison of classifier methods: a case study in handwritten digit recognition. In: Proceedings of the 12th IAPR International Conference on Pattern Recognition, Conference B: Computer Vision & Image Processing., vol. 2, pp. 77–82. IEEE, Jerusalem

39.

S Charalampos H, G Georg A, Jacques L (2016) Chaos Detection and Predictability vol. 915. Springer, Heidelberg

40.

Xie C, Wu Y, Maaten L, Yuille AL, He K (2019) Feature denoising for improving adversarial robustness. In: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 501–509. IEEE Computer Society, Los Alamitos, CA, USA

41.

Zhang K, Zuo W, Chen Y, Meng D, Zhang L (2017) Beyond a gaussian denoiser: Residual learning of deep CNN for image denoising. IEEE Transact Image Process 26(7):3142–3155MathSciNetCrossRefMATH

42.

Singh H, Kumar V, Bhooshan S (2014) A novel approach for detail-enhanced exposure fusion using guided filter. The Scientific World Journal, Hindawi, 1–8

43.

Draper NR, Smith H (1998) Appl Regression Anal, vol 326. John Wiley & Sons, New JerseyCrossRef

44.

Xiao H, Rasul K, Vollgraf R (2017) Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. CoRR arXiv:1708.07747

45.

Krizhevsky A, Hinton G, et al (2009) Learning multiple layers of features from tiny images. Technical Report TR-2009

46.

Nicolae M, Sinn M, Minh TN, Rawat A, Wistuba M, Zantedeschi V, Molloy IM, Edwards B (2018) Adversarial robustness toolbox v0.2.2. CoRR arXiv:1807.01069

Title: Adversarial Examples Detection with Chaos-Based Multivariate Features
Authors: Harbinder Singh
Anibal Pedraza
Oscar Deniz
Gloria Bueno
Publication date: 11-05-2025
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Machine Learning and Cybernetics
Print ISSN: 1868-8071
Electronic ISSN: 1868-808X
DOI: https://doi.org/10.1007/s13042-025-02657-2

Name	Parameters set
NN	06 convolution blocks; \(3 \times 3\) kernel size with 32, 64 and 128 filters; 10 epochs; rectified linear unit (ReLU) activation; max pooling with \(2 \times 2\) kernel size; 0.4 dropout
SFC	H-SFC: \(32 \times 32\) grid size
BA	0.01 delta; 0.01 epsilon; 0.667 step size; 100 iterations; 25 number of trial
EAD	0.01 beta; 0.01 learning rate; 1000 iterations; 0.001 trade-off constraint fast iterative shrinkage-thresholding algorithm (FISTA); 9 binary search steps; ElasticNet decision rule
PGD	0.3 epsilon; 10 iterations; \(L_\infty\) norm
UA	0.2 delta; 20 iterations; 10.0 epsilon
HA	500 number of model evaluations; 10 iterations
DA	0.02 overshoot; 50 iterations
FGSM	0.3 epsilon; \(L_\infty\) norm

Springer Professional

Abstract

Publisher's Note

1 Introduction

2 Background

3 Proposed method

3.1 Estimation of GALI Features

3.2 Estimation of SFs based on edge-preserving filter

4 Experiments and results

4.1 Impact of perturbation level

5 Conclusion and future work

Publisher's Note

Our product recommendations

ATZelectronics worldwide

ATZelektronik