Skip to main content
SpringerLink
Log in

An Adversarial sample defense method based on multi-scale GAN

  • Original Article
  • Published:
International Journal of Machine Learning and Cybernetics Aims and scope Submit manuscript

Abstract

In recent years, the development of deep neural networks is in full gear in the fields of computer vision, natural language processing, and others. However, the existence of adversarial examples brings risks to the completion of these tasks, which is also a huge obstacle to implement deep learning applications in the real world. In order to solve the aforementioned problems and improve the robustness of neural networks, a novel defense network based on generative adversarial networks (GANs) is proposed. First, we use generators to eliminate disturbances of adversarial samples and utilize multi-scale discriminators to classify images of different scales to better assist the generator to produce high-quality images. Then, we utilize salient feature extraction model to extract salient maps of both clean examples and adversarial samples, thus improving the denoising effect of the generator by reducing the difference between salient images. The proposed method can guide the generation networks to accurately remove the invisible disturbance and to restore the adversarial samples to clean samples, which not only improves the success rate of classification, but also achieves satisfactory defense effect. Extensive experiments are conducted to compare the defense effect of our proposed method with other defense methods against various attacks. Results show that our method has strong defensive capabilities against the tested attack methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Arjovsky M, Chintala SB (2017) Wasserstein generative adversarial networks. In: International conference on learning representations (ICLR)

  2. Bai T, Zhao J, Zhu J, Han S, Chen J, Li B (2020) Ai-gan: attack-inspired generation of adversarial examples. arXiv:2002.02196

  3. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE

  4. Pang T, Yang X, Dong Y, Hang S, Zhu J (2021) Bag of tricks for adversarial training. In: International conference on learning representations

  5. Co Kenneth T, Muñoz-González L, de Maupeou S, Lupu EC (2019) Procedural noise adversarial examples for black-box attacks on deep convolutional networks. In: ACM SIGSAC Conference on Computer and Communications Security, pp 275–289. ACM

  6. Ding Z, Guo Y, Lei Z, Yun F (2018) One-shot face recognition via generative learning. In: 2018 13th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2018)

  7. Dong Y, Liao F, Pang T, Hang S, Zhu J, Xiaolin H, Li J (2018) Boosting adversarial attacks with momentum. In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp 9185–9193

  8. Duan Ranjie, Ma Xingjun, Wang Yisen, Bailey James, Qin A. Kai, Yang Yun (2020) Adversarial camouflage: Hiding physical-world attacks with natural styles. CoRR, arXiv:2003.08757

  9. Eykholt Kevin, Evtimov Ivan, Fernandes Earlence, Li Bo, Rahmati Amir, Xiao Chaowei, Prakash Atul, Kohno Tadayoshi, Song Dawn (2018) Robust physical-world attacks on deep learning visual classification. In: IEEE Conference on Computer Vision and Pattern Recognition(CVPR), pages 1625–1634

  10. Finlayson SG, Bowers JD, Ito J, Zittrain JL, Beam AL, Kohane IS (2019) Adversarial attacks on medical machine learning. Science 363(6433):1287–1289

    Article  Google Scholar 

  11. Goodfellow Ian J, Shlens Jonathon, Szegedy Christian (2015) Explaining and harnessing adversarial examples. In: International Conference on Learning Representations(ICLR)

  12. Hou Q, Cheng M-M, Xiaowei H, Borji A, Zhuowen T, Torr PHS (2019) Deeply supervised salient object detection with short connections. IEEE Trans Pattern Anal Mach Intell 41(4):815–828

    Article  Google Scholar 

  13. Itti L, Koch C, Niebur E (1998) A model of saliency-based visual attention for rapid scene analysis. IEEE Trans Pattern Anal Mach Intell 20(11):1254–1259

    Article  Google Scholar 

  14. Jandial Surgan, Mangla Puneet, Varshney Sakshi, Balasubramanian Vineeth (2019) Advgan++: Harnessing latent layers for adversary generation. In: ICCV Workshops, pages 2045–2048. IEEE

  15. Jin Guoqing, Shen Shiwei, Zhang Dongming, Dai Feng, Zhang Yongdong (2019) Ape-gan: Adversarial perturbation elimination with gan. In: International Conference on Acoustics, Speech and Signal Processing (ICASSP), pages 3842–3846. IEEE

  16. Karnewar Animesh, Wang Oliver, Iyengar Raghu Sesha (2019) Msg-gan: Multi-scale gradient gan for stable image synthesis. CoRR, arXiv:1903.06048

  17. Krizhevsky Alex, Sutskever Ilya, Hinton Geoffrey E (2012) Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pages 1097–1105

  18. Kurakin Alexey, Goodfellow Ian J, Bengio Samy (2017) Adversarial examples in the physical world. In: International Conference on Learning Representations(ICLR)

  19. Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, Vladu Adrian (2018) Towards deep learning models resistant to adversarial attacks. In: International Conference on Learning Representations(ICLR)

  20. Mei Yiqun, Fan Yuchen, Zhang Yulun, Jiahui Yu, Zhou Yuqian, Liu Ding, Yun Fu, Huang Thomas S, Shi Honghui (2020) Pyramid attention networks for image restoration. CoRR, arXiv:2004.13824

  21. Meng Dongyu, Chen Hao (2017) Magnet: a two-pronged defense against adversarial examples. In: ACM SIGSAC Conference on Computer and Communications Security, pages 135–147

  22. Metzen Jan Hendrik, Kumar Mummadi Chaithanya, Brox Thomas, Fischer Volker (2017) Universal adversarial perturbations against semantic image segmentation. In: ICCV, pages 2774–2783. IEEE Computer Society

  23. Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, Frossard Pascal (2016) Deepfool: A simple and accurate method to fool deep neural networks. In: IEEE Conference on Computer Vision and Pattern Recognition(CVPR), pages 2574–2582. IEEE Computer Society

  24. Mukherjee Prerana, Sharma Manoj, Makwana Megh, Singh Ajay Pratap, Upadhyay Avinash, Trivedi Akkshita, Lall Brejesh, Chaudhury Santanu (2019) Dsal-gan: Denoising based saliency prediction with generative adversarial networks. CoRR, arXiv:1904.01215

  25. Papernot Nicolas, McDaniel Patrick, Jha Somesh, Fredrikson Matt, Celik Z Berkay, Swami Ananthram (2016) The limitations of deep learning in adversarial settings. In: IEEE Symposium on Security and Privacy (SP), pages 372–387. IEEE

  26. Samangouei Pouya, Kabkab Maya, Chellappa Rama (2018) Defense-gan: Protecting classifiers against adversarial attacks using generative models. In: International Conference on Learning Representations(ICLR)

  27. Shen H, Li X, Zhang L, Tao D, Zeng C (2014) Compressed sensing-based inpainting of aqua moderate resolution imaging spectroradiometer band 6 using adaptive spectrum-weighted sparse bayesian dictionary learning. IEEE Trans Geosci Remote Sens 52(2):894–906

    Article  Google Scholar 

  28. Jiawei S, Vargas DV, Sakurai K (2019) One pixel attack for fooling deep neural networks. IEEE Trans Evol Comput 23(5):828–841

    Article  Google Scholar 

  29. Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian J, Fergus Rob (2014) Intriguing properties of neural networks. In: Yoshua Bengio and Yann LeCun, editors, International Conference on Learning Representations(ICLR)

  30. Wang Lijun, Huchuan Lu, Ruan Xiang, Yang Ming-Hsuan (2015) Deep networks for saliency detection via local estimation and global search. In: CVPR, pages 3183–3192. IEEE Computer Society

  31. Wang Ting-Chun, Liu Ming-Yu, Zhu Jun-Yan, Tao Andrew, Kautz Jan, Catanzaro Bryan (2018) High-resolution image synthesis and semantic manipulation with conditional gans. In: CVPR, pages 8798–8807. IEEE Computer Society

  32. Mingwen S, Gaozhi Z, Wangmeng Z, Deyu M (2021) Target attack on biomedical image segmentation model based on multi-scale gradients. Inf Sci 554:33–46

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

This work was supported by the grants from the National Natural Science Foundation of China (Nos. 61673396, 61976245, 61772344, 62176160).

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, China University of Petroleum (East China), Qingdao, 266000, China

    Mingwen Shao, Shuqi Liu & Gaozhi Zhang

  2. College of Mathematics and Statistics, Shenzhen University, Shenzhen, 518060, China

    Ran Wang

Authors
  1. Mingwen Shao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shuqi Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ran Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gaozhi Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shuqi Liu.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shao, M., Liu, S., Wang, R. et al. An Adversarial sample defense method based on multi-scale GAN. Int. J. Mach. Learn. & Cyber. 12, 3437–3447 (2021). https://doi.org/10.1007/s13042-021-01374-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13042-021-01374-w

Keywords

Search

Navigation