AED-PADA:Improving Generalizability of Adversarial Example Detection via Principal Adversarial Domain Adaptation

The majority of existing adversarial example detection methods rely on statistical features (HendrycksG17, ; magnet, ; FarAwayDis1, ; FarAwayDis2, ; Hidden4, ; Erase-and-Restore, ). They usually assume that the benign and adversarial examples originate from different distributions, and construct detectors based on the distinct statistical characteristics of these examples. Specifically, Grosse et al. (STest1, ) utilize Maximum Mean Discrepancy for the adversarial example detection. Li et al. employ Principal Component Analysis (PCA) to extract statistical feature, and construct a cascade classifier based on Support Vector Machines (SVMs) (PCAInconsistency, ). Feinman et al. (KDBU, ) carry out the detection based on Kernel Density (KD) and Bayesian-Uncertainty (BU) estimation. Ma et al. (lid, ) exploit the concept of Local Intrinsic Dimensionality (LID) to calculate the distance between the distribution of inputs and their neighbors. Lee et al. (md, ) utilize Guassian Discriminant Analysis (GDA) to model the difference between the benign and adversarial samples, and differentiate them based on Mahalanobis Distance (MD). Liu et al. (steg, ) point out that steganalysis could be applied to adversarial example detection, and propose a steganalysis-based detection method (Steg). Tian et al. (SID, ) reveal the inconsistency in the boundary fluctuations between the adversarial and benign examples, and construct Sensitivity Inconsistency Detector (SID) to identify the adversarial examples. Wang et al. (txt_advdetection, ) embed hidden-layer feature maps of DNNs into word vectors, and detect adversarial examples via Sentiment Analysis (SA).

Existing adversarial detection methods exhibit poor generalization because their training typically depends on a single known attack which vastly differs from unseen test attacks. In this paper, we propose a novel adversarial detection method, which can substantially increase the coverage of the entire adversarial feature space and create larger overlap with the test adversarial attacks.

Transfer learning (transfer_learning_survey1, ; transfer_learning_survey2, ; transfer_learning_survey3, ) is a deep learning technique which leverages knowledge acquired from the source task(s) to improve learning efficiency and performance on a related but different target task. Unsupervised domain adaptation (UDA) (unsuperviesed_domain_adaptation1, ) is a type of popular method in transfer learning which aims to migrate knowledge learned from the labeled source domain(s) to the target domain, where only unlabeled target data are available for training. Single-source Unsupervised Domain Adaptation (SUDA) (single-uda1, ; single-uda2, ; single-uda3, ) is widely explored in the previous research, which can transfer knowledge from one single source to one target domain. Compared to SUDA, Multi-source Unsupervised Domain Adaptation (MUDA) acquires richer information while introduces a new challenge, i.e., how to effectively bridge the domain gaps between all source domains and the target domain.

Various distribution alignment schemes have been proposed to achieve alignment between source and target domains. For example, Multiple Feature Spaces Adaptation Network (MFSAN) (aaai-mda, ) leverages Maximum Mean Discrepancy (MMD) to align the distributions of each pair of source and target domains in multiple specific feature spaces and aligns the outputs of classifiers by utilizing the domain-specific decision boundaries. Peng et al. (moment-mda, ) provide new theoretical insights specifically for moment matching to align the sources with each other and with the target. Owing to the development of generative adversarial networks, adversarial learning is widely used to find a domain-invariant feature space. It either focuses on approximating all combinations of pairwise domain discrepancies between each source and the target (cocktail, ; DARN, ) or uses a single domain discriminator (MIAN, ). Other explicit measures of discrepancy, such as Wasserstein distance (mdmn, ; Wasserstein, ), are also employed in MUDA to align the distribution of features. In addition to distribution alignment, the graph-matching metric (graph-muda1, ; graph-muda2, ) also considers the structural and geometric information, which achieves the alignment between the source and target domains by mapping both nodes and edges in a graph.

In this paper, we argue that the poor generalization performance of adversarial detection is due to the significant discrepancy between the source domains utilized for training and the target domain utilized for testing. Therefore, based on the MUDA approach, we propose a viable solution, Principal Adversarial Domain Adaptation, to reduce this great gap.

Suppose we have a labeled $C-$class classification dataset $\mathbb{D}=\{(x_{i},y_{i})\}_{i=1}^{N}$ with $N$ samples, where the label $y\in\{1,2,\ldots,C\}$. A classifier $f$ is trained on $\mathbb{D}$ to classify an input sample into one of the $C$ classes, $f(x)\rightarrow\mathbb{Z}_{C}$. Adversarial attack $\psi$ aims to fool $f$ into assigning incorrect labels via generating adversarial examples. We have a set of adversarial attack methods, $\Psi=\{\psi^{m}\}_{m=1}^{M}$, which consists of $M$ distinct adversarial attack methods. $\mathbb{D}^{m}=\{(x_{i}^{m},y_{i}^{m})\}_{i=1}^{N}$ is the adversarial dataset generated by the $m$-th adversarial attack method $\psi^{m}$, where $x_{i}^{m}$ denotes the $i$-th adversarial example generated by the $m$-th adversarial attack $\psi^{m}$, and $y_{i}^{m}$ presents its corresponding prediction label. We define $\varphi$ as, $\varphi(x_{i}^{m})=\psi^{m}$, which is a mapping from an adversarial example to its attack method. Consequently, we construct a set of adversarial examples $\mathcal{D}$ based on $\mathbb{D}$, which comprises $M$ types of adversarial examples, $\mathcal{D}=\{\mathbb{D}^{m}\}_{m=1}^{M}$.

Typically, when we extract the features of the adversarial examples, which are generated from different untargeted attacks via common CNNs, the features tend to spread in an indistinguishable manner in the feature space. To acquire distinguishable representations of adversarial examples from different attacks, we exploit adversarial supervised contrastive learning (Adv-SCL) to extract features. Then, we form the Adversarial Domains (ADs), each of which is defined as the representations of all the adversarial examples generated from a particular adversarial attack.

Based on the supervised contrastive learning (SCL) method (KhoslaTWSTIMLK20, ), Adv-SCL neglects the classification result of the adversarial examples and focuses sorely on identifying their generation methods. Specifically, each adversarial example $x_{i}^{m}$ in $\mathcal{D}$ is characterized by the method used to generate it, i.e., the adversarial attack method $\psi^{m}$. The $\psi^{m}$ of the adversarial example $x_{i}^{m}$ serves as a key discriminant for determining whether different $x_{i}^{m}$ are positive or negative samples. Here, a pair of examples from the same attack are considered as positive, while those from different attacks are considered as negative. This learning strategy amplifies the dissimilarities across examples from various attacks and generates a more appropriate representation.

As shown in Fig. 2(a), the input of AD acquisition is the adversarial example set $\mathcal{D}$. Adv-SCL consists of an Encoder Network ($Enc$) and a Projection Network ($Proj$). $Enc(\cdot)$ extracts a feature vector from the input adversarial example $x_{i}^{m}$, and $Proj(\cdot)$ further projects this representation vector to an auxiliary vector $z_{i}=Proj(Enc(x_{i}^{m}))$, which will be discarded after training.

(transforming1, ; transform2, ) investigate that transformation strategies, such as cropping and rescaling, bit-depth reduction, JPEG compression, and randomization, have been used to defend against adversarial examples. Therefore, in order to prevent any potential ineffectiveness of adversarial samples caused by transformations, we only use normalization ($Norm$) as the data augmentation operation in the stage of AD Acquisition.

We randomly sample $n$ example-label pairs in $\mathcal{D}$, $\{(x_{k}^{m_{k}},y_{k}^{m_{k}})\}_{k=1}^{n}$, where $m_{k}$ is the adversarial attack of the $k$-th adversarial example. The corresponding batch employed for training consists of $2n$ pairs, $\{(\tilde{x}_{l},\tilde{y}_{l})\}_{l=1}^{2n}$, where $\tilde{x}_{2k}$ and $\tilde{x}_{2k-1}$ are two views of $x_{k}^{m_{k}}$, and they are from the same adversarial attack method $\psi^{m_{k}}$. The loss function of Adv-SCL is defined as,

Here, $i\in I=\{1,\ldots,2n\}$ denotes the index of the augmented samples. $A(i)$ is a subset of $I$ which includes all indexes except $i$. $P(i)=\{p\in A(i):\varphi(\tilde{x}_{p})=\varphi(\tilde{x}_{i})\}$ represents the indices of positive samples in the batch except $i$, and $|P(i)|$ stands for its cardinality. $\cdot$ denotes the dot product. $\tau$ is the temperature parameter which scales the similarity values.

After the acquisition of ADs, we obtain $\mathbb{H}^{m}=Enc(\mathbb{D}^{m})$ as AD of the corresponding adversarial attack $\psi^{m}$. For $\mathcal{D}$, we construct a set of ADs, $\mathcal{H}=\{\mathbb{H}^{m}\}_{m=1}^{M}$. Since different ADs tend to distribute differently in the feature space and many of them possess various portions of overlaps, it is quite difficult to directly select the most representative ADs from scratch. Then, it is vital to explore the similarities among different ADs.

To address this issue, we intend to perform the selection via two steps, i.e., clustering to assess the similarities of ADs and selecting the most representative ADs from each cluster. Then, we construct a viable solution named Adversarial Domain Clustering, as shown in Fig. 2(a). This strategy groups ADs into different clusters, by ensuring that the similarity among ADs within the same cluster is maximized, while the similarity among ADs across different clusters is minimized. AD clustering avoids the redundancy and additional costs by preventing the repeated selection of similar attack methods, and it facilitates the selection of the most representative ADs in the subsequent steps.

Since the samples to be clustered here are collections of features, rather than individual data points, traditional clustering methods such as K-Means (kmeans, ) cannot be directly applied. Since spectral clustering (NgJW01, ) only requires the similarity matrix among samples, it is utilized to construct the clustering step in our AD clustering.

For the estimation of the similarity matrix $W\in R^{M\times M}$ in spectral clustering, which represents the similarities between different ADs, we propose Adversarial Domain Similarity Measurement (ADSM) based on Jensen-Shannon divergence (JSD) (ErvenH14, ), which quantifies the similarity between two probability distributions. To compute the similarities, we transform each $\mathbb{H}^{i}$ in $\mathcal{H}$ to $\overline{\mathbb{H}^{i}}$ by converting $\mathbb{H}^{i}$ into probabilities and performing normalizations. Since a smaller value of JSD between two ADs implies a smaller discrepancy in their probability distributions, $\text{ADSM}(\mathbb{H}^{i},\mathbb{H}^{j})$ can be computed via

By letting the element $W_{i,j}$ at the $i$-th row and $j$-th column refer to the similarity between $\mathbb{H}^{i}$ and $\mathbb{H}^{j}$, $W_{i,j}$ can be calculated by

Since the spectral clustering cannot automatically determine the optimal number of clusters, the Calinski-Harabasz score (CH score) (mann2023proposed, ), which requires no knowledge of the cluster shape, is utilized to evaluate the clustering performance and estimate the optimal number of clusters. Note that it measures both the within-cluster and between-cluster distances, thereby offering a more comprehensive view of the clustering performance. CH score is calculated by

where $K$ and $N$ is the number of clusters and data respectively, $BC_{K}$ denotes between-cluster covariance matrix, $WC_{K}$ denotes within-cluster covariance matrix, and $Tr(\cdot)$ denotes the trace of the matrix.

Higher value of $\text{CH}(K)$ indicates better clustering. We posit that the inherent structure of the entire feature space composed of different ADs is highly complex. Given that the CH score often awards the highest evaluation when cluster numbers $K=2$, we choose to commence our consideration from the scenario where $K=3$ in this paper. With the help of the CH score, our AD clustering can automatically group the ADs into optimal number of clusters.

After similar ADs are clustered, then the selection step can be performed. To form the most effective Principal Adversarial Domains (PADs), it is vital to select appropriate ADs from different clusters. Thus, we propose the Coverage of Entire Feature Space metric (CEFS) to guide the PADs selection process.

CEFS is a ratio-based metric which contains two aspects, Intra-Domain Dispersion (IDD) and Discrepancy between Adversarial Domains (DAD). IDD represents the dispersion among features within each AD, where a higher value indicates a larger coverage of the feature space. For any AD, $\mathbb{H}^{i}=\{{h_{1}^{i}},{h_{2}^{i}},\ldots,{h_{v}^{i}}\}\in R^{v\times d}$, where $v$ and $d$ denote the number and dimension of features in $\mathbb{H}^{i}$, respectively, IDD can be computed by

DAD represents the discrepancies between the two selected ADs, this discrepancy can be quantified using a distance metric $Dist(\cdot,\cdot)$, such as Kullback-Leibler divergence (kl-divergence, ) or Maximum Mean Discrepancy (MMD) (mmd, ). A lower DAD value indicates a greater similarity between the two selected ADs. DAD can be calculated as,

Then, CEFS can be obtained via

where $K$ and $M$ is the number of ADs in PADs and the number of ADs in the AD set $\mathcal{H}$ respectively, and $\parallel$ denotes a concatenation operation.

CEFS is a ratio-based metric to quantify the coverage of selected ADs within the entire feature space (EFS). In Eq. (8), the numerator represents Intra-Domain Dispersion (IDD), indicates feature dispersion within each AD. The denominator measures the discrepancy between the selected ADs and EFS. As CEFS increases, the numerator grows, indicating a larger feature space for each AD, and the denominator decreases, suggesting a greater similarity between the selected ADs and the EFS. Consequently, the selected ADs have a larger coverage of the EFS, increasing the likelihood of capturing unseen ADs. We utilize CEFS to select PADs, which can give a larger coverage of the feature space with the same number of ADs. PADs actually enhance the probability of capturing the location of unseen ADs, thereby improving the generalization performance.

The process of Principal Adversarial Domains Identification (PADI) consists of Adversarial Domain Acquisition (AD Acquisition), Adversarial Domain Clustering (AD Clustering) and Principal Adversarial Domains Selection (PADs Selection). The training process of Principal Adversarial Domains Identification is described in Algorithm 1.

For the original dataset $\mathbb{D}$, we divide it into two non-overlapping datasets $\mathbb{D}_{acq}$ and $\mathbb{D}_{clu}$, which are used for AD Acquisition and AD Clustering, respectively. The adversarial examples sets for AD Acquisition are denoted as $\mathcal{D}_{acq}$. $\mathcal{D}_{acq}=\{\mathbb{D}_{acq}^{m}\}_{m=1}^{M},\mathbb{D}_{acq}^{m}=\{(x_{i}^{m},y_{i}^{m})\}_{i=1}^{N_{m}}$, where $M$ is the number of adversarial attacks, $\mathbb{D}_{acq}^{m}$ is the adversarial examples set generated by the $m$-th adversarial attack, and $N_{m}$ is the cardinality of $\mathbb{D}_{acq}^{m}$.

Likewise, The adversarial examples sets for AD Clustering are denoted as $\mathcal{D}_{clu}$. $\mathcal{D}_{clu}=\{\mathbb{D}_{clu}^{q}\}_{q=1}^{M}$, $\mathbb{D}_{clu}^{q}=\{(x_{i}^{q},y_{i}^{q})\}_{i=1}^{N_{q}}$, where $M$ is the number of adversarial attacks, $\mathbb{D}_{clu}^{q}$ is the adversarial examples set generated by the $q$-th adversarial attack, and $N_{q}$ is the cardinality of $\mathbb{D}_{clu}^{q}$. The rationale behind this strategy is to prevent the model after contrastive learning from overfitting to the data on AD acquisition, which leads to subpar performance in AD Clustering and PAD Confirming.

To transfer the learned knowledge from PADs to the target domain, i.e., the adversarial examples generated from unseen methods, we propose Principal Adversarial Domain Adaptation (PADA) to detect adversarial examples, as depicted in Fig. 2(b).

Ideally, the inputs of PADA comprise source data and unseen target data. The source data, denoted as, $Src=\{Src_{i}\}_{i=1}^{K}$, consists of an equal number of benign examples and adversarial examples, where the adversarial examples contain $K$ types of adversarial examples determined by PADs. Since the unseen target data is unavailable, we can only use the training data as a proxy. The proxy data, denoted as $PD$, also contains an equal number of benign examples and adversarial examples, drawn from the training benign set $\mathbb{D}$ and the training adversarial set $\mathcal{D}$, respectively. $\mathcal{D}$ contains $M$ types of adversarial examples. During the PADI stage, we select the most representative ADs, i.e., $K$ types of ADs from these $M$ types to form the PADs. Consequently, employing $\mathcal{D}$ as a proxy for unseen target data serves two key purposes. Firstly, it prevents overlap between the source data used for training and the unseen target data used for testing. Secondly, the PADA process compels the transfer of specific knowledge from PADs to the more extensive set $\mathcal{D}$. This transfer aims to boost the generalization capabilities of networks of PADA, with the goal of enhancing their performance when testing the unseen target data.

PADA consists of three sequential components, feature extraction, feature alignment and classification. The framework of PADA is compatible with various widely used Multi-source Unsupervised Domain Adaptation (MUDA) methods (moment-mda, ; DARN, ; mdmn, ; aaai-mda, ). The experimental results indicate that our PADA possesses excellent generalization capabilities based on various existing MUDA methods. Due to the simplicity and effectiveness of MFSAN (aaai-mda, ), along with its superior detection performance compared to other MUDA methods, we select MFSAN as the basic MUDA method for our PADA.

In the feature extraction component, unfortunately, existing MUDA methods including MFSAN, only extract spatial features. (GeirhosRMBWB19, ; WangWHX20, ; FanLCZG21, ) indicate that the high-frequency component of an image plays a crucial role in the prediction of deep neural network. Adversarial perturbations are more likely to be concealed in the high-frequency information of images. To capture more comprehensive features of adversarial examples, we propose an adversarial feature enhancement (AFE) module as the feature extraction component. AFE contains both the spatial feature extraction $\mathcal{S}$ and frequency feature extraction $\mathcal{F}$ branches. For frequency feature extraction, we design perturbations extraction filters (PEF), which is a plug-and-play operation based on Spatial Rich Model (SRM) (SRM, ) to capture subtle perturbation signals hidden in the adversarial examples.

SRM typically uses 30 basic kernels to capture textures and discontinuities of images, and has been employed in image forensics to detect subtle and irregular manipulation or hidden information. Subsequent research (SRM_detection, ) indicates that in image manipulation detection, employing only three kernels can achieve considerable detection performance, and more many basic kernels does not further enhance performance. Essentially, these kernels are high-pass filters, which enhance the high-frequency signals and remove the low-frequency components of the inputs. Adversarial perturbations are typically hidden within the high-frequency information of an image. Therefore, our PEF uses the same three kernels to extract subtle perturbation signals. As shown in Fig. 3, PEF consists of three filters which are implemented by convolution kernels with fixed parameters. We set the kernel size of PEF to be $5\times 5\times 3$, and the output channel size of PEF is 3. Both $\mathcal{S}$ and $\mathcal{F}$ employ $Enc$ from Sec. 3.2, aligned with the threat models, specifically ResNet-18 or VGG-16. Then, the enhanced adversarial features, denoted as $r(x)=[\mathcal{S}(x),\mathcal{F}(x)]$, are fed into the next module.

In the alignment component, we assign the specific network $Q_{i}$ to map each source domain $Src_{i}$ and proxy domain $PD$ to the different feature space, and utilizes MMD as the distance metric to align them. $L_{d}$ is used to align the features between source domain and proxy domain,

where $r$ is the enhanced adversarial features after AFE, $K$ is the number of source domains. each source domain is associated with the corresponding network $Q_{i}$.

In the classification component, we utilize the cross-entropy loss $L_{cls}$ to ensure the correct classification. Given that different domain-specific classifiers $C_{i}$ are trained on their respective source domains, resulting in significant discrepancies among their predictions for the same proxy domain. To address this, $L_{disc}$ is used to minimize the differences among the predictions of various classifiers.

Overall, the total loss is formulated as follow, $\lambda$ and $\gamma$ are hyperparameters used to adjust the weights of $L_{d}$ and $L_{disc}$, respectively.

Here, we compare our method with 5 SOTA detection methods, including LID (lid, ), MD (md, ), Steg (steg, ), SID (SID, ) and SA (txt_advdetection, ).

Selecting multiple adversarial attacks from the same cluster leads to redundancy, as these candidate attacks are quite similar. The combination of them covers a small feature space, causing poor generalization. On the other hand, choosing from different clusters effectively avoids this issue. Consequently, as shown in Table 9 and Table 10, we set up two groups of experiments, i.e., selecting ADs from Same Cluster and Cross Cluster, to verify the effectiveness of the AD Clustering and PADs Selection of AED-PADA, against the 7 unseen attacks. ‘Same Cluster’ and ‘Cross Cluster’ respectively represent that the ADs employed as the sources domains are selected from the same AD cluster and different AD clusters.

Table 9 presents the generalization performances on CIFAR-10 and ResNet-18. The result of AD clustering is {FGSM, PGD, DIM, MI-FGSM, SI-NI-FGSM}-{BIM, ILA, YA-ILA}-{C&W, DeepFool}. For ‘Same Cluster’, the best, worst and mean values of averaged results are 90.444%, 93.494%, and 92.150%, respectively. For ‘Cross Cluster’, the best, worst, and mean values are 94.694%, 92.429%, and 93.892%, respectively. Similarly, Table 10 shows the results on CIFAR-10 and VGG-16. The result of AD clustering is {BIM, ILA, YA-ILA, PGD}-{DIM, MI-FGSM, FGSM}-{CW, DeepFool, SI-NI-FGSM}. For ‘Same Cluster’, the best, worst and mean values of the averaged results are 87.132%, 88.019%, and 87.461%, respectively. For ‘Cross Cluster’, the best, worst, and mean values of the averaged values are 88.264%, 87.406%, and 87.818%, respectively.

Based on the results, we can obtain three observations. Firstly, the mean results of ‘Cross Cluster’ selection is higher than of ‘Same Cluster’ selection, and the best result of ‘Cross Cluster’ selection is also superior. Specially, On the setting of CIFAR-10 and ResNet-18, the mean results of ‘Cross Cluster’ selection is even higher than of the best results of ‘Same Cluster’ selection. This verifies the effectiveness of our AD Clustering. Apparently, source domains from ‘Cross Cluster’ can certainly enhance the generalization ability of the detection methods.

Secondly, although ‘Cross Cluster’ selection in general achieves better results, it cannot guarantee that the randomly selected ADs (from ‘Cross Cluster’s) always give better performance than the results of ‘Same Cluster’ selected ADs. When the PADs with a very low CEFS score are employed as the source domains for detection, the generalization performance may be worse than that of ‘Same Cluster’ selection. This observation further verifies the effectiveness of our PADs Selection.

Thirdly, as shown in the ‘Cross Cluster’ part of table 9 and table 10, for the majority of results, a higher CEFS value of PADs induces a higher averaged accuracy of the proposed detection. This observation suggests that the proposed CEFS is a proper guide for selecting PADs, i.e., a higher CEFS score indicates that the corresponding PADs can cover a larger proportion of the entire feature space, and the PADA stage, which uses the PADs as source domains, gives a better generalization performance.

Here, we apply AD Clustering to 10 adversarial attack methods in the training set and present the impact of different cluster numbers $K$ (the number of adversarial attacks in PADs). As depicted in Table 11, the detection performance increase when $K$ increases, until a certain value of $K$ is achieved. This trend is attributed to the utilization of an increased number of ADs as the source domains, which undeniably provides larger coverage of the entire feature space. Note that the values with ${\dagger}$ represent the generalization performance of our AED-PADA, in which the number of clusters is automatically determined based on the CH score, and the bolded values represent the best generalization performance.

As can be observed, our automatic CH score based method can yield superior performance on SVHN with VGG-16 being the backbone, and give comparable performance to the best result on other settings. Although the best result with manually selecting $K$ exceeds our automatic method for 0.2%-0.3% in terms of the averaged accuracy, it requires $2.3\times$ more parameters and gives a $3\times$ slower speed. Moreover, in real-world scenarios, the adversarial attacks in the training set may far exceed 10 types, and it is clearly unwise to test the detection performance of each clustering result individually. Consequently, this suggests that our method actually achieves a better balance between the training costs and generalization performances.

In this experiment, we utilize three distinct feature extractions, i.e., spatial feature extraction, frequency feature extraction, and the adversarial feature enhancement (spatial + freq) in our framework. Still 7 test unseen attacks are employed and the averaged results are reported in Table 12. As can be observed, in both datasets, the average results of our adversarial feature enhancement(spatial + freq) exhibit superior performances than both the spatial feature extraction and frequency feature extraction. This indicates that using adversarial feature enhancement as the feature extraction method for PADA is effective. Furthermore, whether it is spatial feature extraction or frequency feature extraction, the performance of single domain feature extraction across different backbones is inconsistent, as evidenced by the fluctuated averaged detection performance across different backbones on SVHN. Our adversarial feature enhancement, which combines both spatial and frequency aspects, can more comprehensively capture adversarial perturbation signals, yielding superior adversarial detection performance.

To demonstrate the compatibility of our framework with the existing Multi-source Unsupervised Domain Adaptation (MUDA) methods, we employ four widely used Multi-source Unsupervised Domain Adaptation (MUDA) methods, M³DA (moment-mda, ), DARN (DARN, ), MDMN (mdmn, ) and MFSAN (aaai-mda, ). All four MUDA methods have utilized the adversarial feature enhancement as the feature extraction component. Table 13 presents that the performances of employing all four MUDA methods can surpass the existing SOTA adversarial detection methods. This verifies that our framework possesses excellent compatibility with existing MUDA methods. In other words, The first exploration of MUDA methods in adversarial example detection has proven to be successful, and Principal Adversarial Domain Adaptation can effectively transfer the knowledge from PADs to the unseen target domain. Besides, since the average result of MFSAN outperforms other MUDA methods, we select MFSAN as the basic MUDA component in our PADA.

We utilize MFSAN as the basic MUDA method in the PADA stage of our framework, and $\lambda=\gamma=1.0$ control the importance of $L_{d}$ and $L_{disc}$, respectively. To study the parameters sensitivity, we sample the values of $\lambda$ and $\gamma$ from {0.5, 1.0, 2.0}, and perform the experiments under the settings of CIFAR-10 and ResNet-18.

Table 14 indicates that our proposed method maintains high performance consistency under various parameter settings when employing MFSAN as the basic MUDA method. The best averaged accuracy is 94.694% when $\lambda=\gamma=1.0$. Variations of the parameters typically do not induce the fluctuations in the detection performance. The mean value and the standard deviation of all the averaged accuracies are 94.538% and 0.154%, respectively. This indicates that our PADA framework is effective and robust, since it shows insensitivity to different parameters and consistently offers high detection accuracy.

Table 15 presents the time and hardware costs when deploying the state-of-the-art adversarial example detection methods and our AED-PADA. The results indicate that our method has the minimal time expenses and moderate hardware (GPU memory) expenses under the same settings. All experiments are conducted on an NVIDIA GeForce RTX 3080Ti GPU under CIFAR-10 and ResNet-18 settings.

Furthermore, our AED-PADA is capable of deployment in real-world scenarios. Real-world scenarios demand the adversarial example detection methods not only possess the capability for real-time detection but also maintain robust detection performance in the environments where the adversarial attacks, datasets, and backbones during testing are entirely unseen. Firstly, we only train once, ready for real-world deployment without retraining for new unseen attacks. We have the shortest inference time, which is the best real-time detection performance. Secondly, we train from earlier attacks and test on more advanced attacks. Table 3 demonstrates that under this real-world-aligned setting, our AED-PADA exhibits superior generalization performance, and would maintain considerable detection capabilities against future unseen attacks. Lastly, with its strong performance across various backbones and datasets depicted in the Table 6, our proposed method performs better in the environments with unseen datasets and backbones. Consequently, our AED-PADA is well-suited for practical applications in the complex real-world environments.