Security and Communication Networks

Research Article

From Spatial to Spectral Domain, a New Perspective for Detecting Adversarial Examples

Table 4

Comparison of AUC (%) under various evaluation setups. Our method HLFD takes the last two layers of representation and the mid-high and high-frequency regions as input. The norm of perturbation of MNIST is 2.8, the norm of T-ImageNet is 22, and the other three datasets are all = 5.5.


Dataset	Detector	Detection of six attack methods
Dataset	Detector	FGSM	BIM	PGD	JSMA	CW	DF

MNIST	KD + PU	90.4	92.5	88.9	85.3	89.8	83.1
	LID	92.8	87.9	85.2	89.5	85.3	90.4
	M-D	97.6	99.1	98.5	92.7	88.6	84.3
	HLFD (ours)	99.8	98.5	99.1	89.4	95.4	92.8

SVHN	KD + PU	85.4	80.5	85.4	75.6	76.5	86.3
	LID	95.8	75.6	86.4	85.2	84.7	88.9
	M-D	99.4	96.3	94.3	87.6	82.5	92.5
	HLFD (ours)	99.5	99.4	97.4	95.6	93.4	89.5

CIFAR-10	KD + PU	83.4	95.2	94.5	82.4	65.4	72.5
	LID	94.2	93.5	93.8	85.4	80.5	84.3
	M-D	97.5	98.1	98.6	90.7	83.2	87.5
	HLFD (ours)	99.5	98.6	98.8	94.5	95.6	92.6

CIFAR-100	KD + PU	92.3	89.5	90.1	84.5	65.4	68.4
	LID	98.5	95.4	96.7	82.6	70.5	75.6
	M-D	99.2	97.1	96.4	89.3	78.9	82.9
	HLFD (ours)	99.7	99.4	97.5	96.4	86.4	85.3

T-ImageNet	KD + PU	85.4	90.5	88.2	73.6	62.5	69.8
	LID	86.2	88.4	89.3	77.2	65.6	64.2
	M-D	92.5	87.7	85.4	72.2	75.4	79.5
	HLFD (ours)	94.3	91.5	86.4	88.6	80.4	78.3