SpaNN: Detecting Multiple Adversarial Patches on CNNs by Spanning Saliency Thresholds
Paper β’ 2506.18591 β’ Published
DEF-spann β SpaNN: Multi-Patch Spatial Neural Networks for Adversarial Patch Defense
Part of the ANIMA Perception Suite by Robot Flow Labs.
Paper
SpaNN: Detecting Multiple Adversarial Patches on CNNs (arXiv:2506.18591) SaTML 2025 gerkbyrd et al.
Architecture
SpaNN detects adversarial patch attacks by analyzing ensemble saliency-threshold attribute vectors extracted from victim model feature maps. The attack detector (AtkDetCNNRaw) is a lightweight 1D-CNN (417K params) that classifies threshold-swept clustering features as clean or adversarial.
Core Pipeline:
- Extract feature maps from victim detector (YOLO, Faster R-CNN, etc.)
- Sweep binarization thresholds Ξ² β [0, 1) β DBSCAN cluster at each threshold
- Extract 4 attributes per threshold: n_clusters, avg_intra_dist, std_intra_dist, n_important_neurons
- Stack into curve β normalize β feed into AtkDetCNNRaw
- Score β₯ 0.5 β attack detected
Results
| Metric | Paper Target | Achieved |
|---|---|---|
| Val Accuracy | 85-92% | 97.9% |
| Val Loss | β | 0.0641 |
| Best Epoch | β | 50 (early stopped at 249) |
| Parameters | β | 416,905 |
Training Data: 6,746 samples (INRIA + CIFAR + ImageNet + COCO DINOv2)
Exported Formats
| Format | File | Size | Use Case |
|---|---|---|---|
| PyTorch (.pth) | pytorch/DEF-spann_v1.pth |
5.0MB | Training, fine-tuning |
| SafeTensors | pytorch/DEF-spann_v1.safetensors |
1.7MB | Fast loading, safe |
| ONNX | onnx/DEF-spann_v1.onnx |
32KB | Cross-platform inference |
| TensorRT FP16 | β | β | Generate on target hardware |
| TensorRT FP32 | β | β | Generate on target hardware |
Usage
import torch
from def_spann.models import AtkDetCNNRaw
model = AtkDetCNNRaw(in_feats=4)
ckpt = torch.load("pytorch/DEF-spann_v1.pth", map_location="cpu")
model.load_state_dict(ckpt["model"])
model.eval()
# Input: (batch, 4_features, 20_thresholds)
x = torch.randn(1, 4, 20)
score = model(x) # β (1, 1), value in [0, 1]
is_attack = score >= 0.5
CUDA Kernels
Two compiled CUDA kernels available in shared infrastructure:
local_entropyβ Compute local entropy map for spatial anomaly detectionpatch_inpaintβ Zero-fill detected adversarial patch regions
Training
- Hardware: NVIDIA L4 (GPU 1)
- Framework: PyTorch 2.6.0, CUDA 12.8
- Optimizer: Adam, lr=0.0001
- Scheduler: Warmup + Cosine decay
- Early Stopping: patience=200
- Config: See
configs/training.toml - Training time: ~2.5 minutes (250 epochs Γ 0.6s)
Docker Serving
docker compose -f docker-compose.serve.yml --profile serve up -d
curl http://localhost:8080/health
License
Apache 2.0 β Robot Flow Labs / AIFLOW LABS LIMITED