ABSTRACT
Deep Neural Network (DNN) inferences have been proven highly susceptible to carefully engineered adversarial perturbations, presenting a pivotal hindrance to real-world Computer Vision tasks. Most of the existing defenses have poor generalization ability due to their dependence on relatively limited Adversarial Examples (AE). Furthermore, the existing adversarial training necessitates continually retraining a target network with the sort of attack required to be repelled. The defense strategies that are primarily based on processing the perturbed image eventually fall short when pitted against constantly developing threats. Protection of DNN against adversarial attacks remains a difficult challenge on challenging datasets such as Fashion MNIST and CIFAR10. This paper proposes a GAN-based two-stage adversarial training model named Globally Connected and Trainable Hierarchical Fine Attention (GCTHFA). The first stage of the proposed GCTHFA GAN is to create a reconstructed image that is a purified version of an adversarial example. The proposed approach has used a trainable and globally linked attention map to teach the Generator about the different types of representations an image might have in different convolutional layers located at different levels in a network. The discriminator’s reliance on feature vectors produced by transfer learning eliminates the traditional dependency on standard image pixels. The second step involves adversarial training of a target classifier to provide resistance to such attacks. Extensive testing on the MNIST, Fashion MNIST, and CIFAR10 datasets with different classifiers and attacks show that the proposed model can handle adversarial attack settings for various target models. The proposed model uses only one type of adversarial training, with no requirement for retraining based on the type of attack.
- Martin Arjovsky, Soumith Chintala, and Léon Bottou. 2017. Wasserstein generative adversarial networks. In International conference on machine learning. PMLR, 214–223.Google Scholar
- David Bau, Bolei Zhou, Aditya Khosla, Aude Oliva, and Antonio Torralba. 2017. Network dissection: Quantifying interpretability of deep visual representations. In Proceedings of the IEEE conference on computer vision and pattern recognition. 6541–6549.Google ScholarCross Ref
- Arjun Nitin Bhagoji, Daniel Cullina, Chawin Sitawarin, and Prateek Mittal. 2018. Enhancing robustness of machine learning systems via data transformations. In 2018 52nd Annual Conference on Information Sciences and Systems (CISS). IEEE, 1–5.Google ScholarCross Ref
- Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). IEEE, 39–57.Google Scholar
- Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310–1320.Google Scholar
- Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman, Li Chen, Michael E Kounavis, and Duen Horng Chau. 2017. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900(2017).Google Scholar
- Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition. 9185–9193.Google ScholarCross Ref
- Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. 2019. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4312–4321.Google ScholarCross Ref
- Gintare Karolina Dziugaite, Zoubin Ghahramani, and Daniel M Roy. 2016. A study of the effect of jpg compression on adversarial images. arXiv preprint arXiv:1608.00853(2016).Google Scholar
- Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572(2014).Google Scholar
- Gaurav Goswami, Nalini Ratha, Akshay Agarwal, Richa Singh, and Mayank Vatsa. 2018. Unravelling robustness of deep learning based face recognition against adversarial attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 32.Google ScholarCross Ref
- Shixiang Gu and Luca Rigazio. 2014. Towards deep neural network architectures robust to adversarial examples. arXiv preprint arXiv:1412.5068(2014).Google Scholar
- C Guo, M Rana, M Cisse, and L van der Maaten. 2018. Countering adversarial images using input transformations In: International Conference on Learning Representations.Google Scholar
- Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770–778.Google ScholarCross Ref
- Petru Hlihor, Riccardo Volpi, and Luigi Malagò. 2020. Evaluating the Robustness of Defense Mechanisms based on AutoEncoder Reconstructions against Carlini-Wagner Adversarial Attacks. In Proceedings of the Northern Lights Deep Learning Workshop, Vol. 1. 6–6.Google ScholarCross Ref
- Wenzheng Hu, Mingyang Li, Zheng Wang, Jianqiang Wang, and Changshui Zhang. 2021. DiFNet: Densely High-Frequency Convolutional Neural Networks. IEEE Signal Processing Letters 28 (2021), 1340–1344.Google ScholarCross Ref
- Gao Huang, Zhuang Liu, Laurens Van Der Maaten, and Kilian Q Weinberger. 2017. Densely connected convolutional networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4700–4708.Google ScholarCross Ref
- Yunseok Jang, Tianchen Zhao, Seunghoon Hong, and Honglak Lee. 2019. Adversarial defense via learning to generate diverse attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 2740–2749.Google ScholarCross Ref
- Xiaojun Jia, Xingxing Wei, Xiaochun Cao, and Hassan Foroosh. 2019. Comdefend: An efficient image compression model to defend adversarial examples. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 6084–6092.Google ScholarCross Ref
- Cheng Ju, Aurélien Bibaut, and Mark van der Laan. 2018. The relative performance of ensemble methods with deep convolutional neural networks for image classification. Journal of Applied Statistics 45, 15 (2018), 2800–2818.Google ScholarCross Ref
- Harini Kannan, Alexey Kurakin, and Ian Goodfellow. 2018. Adversarial logit pairing. arXiv preprint arXiv:1803.06373(2018).Google Scholar
- Alex Krizhevsky, Geoffrey Hinton, 2009. Learning multiple layers of features from tiny images. (2009).Google Scholar
- Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236(2016).Google Scholar
- Alexey Kurakin, Ian J Goodfellow, and Samy Bengio. 2018. Adversarial examples in the physical world. In Artificial intelligence safety and security. Chapman and Hall/CRC, 99–112.Google Scholar
- Bin Liang and Hongcheng Li. 2018. Miaoqiang Su, Xirong Li, Wenchang Shi, and XiaoFeng Wang. Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Transactions on Dependable and Secure Computing 2 (2018), 6.Google Scholar
- Bin Liang, Hongcheng Li, Miaoqiang Su, Xirong Li, Wenchang Shi, and Xiaofeng Wang. 2018. Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Transactions on Dependable and Secure Computing 18, 1 (2018), 72–85.Google ScholarDigital Library
- Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1778–1787.Google ScholarCross Ref
- Jiayang Liu, Weiming Zhang, Yiwei Zhang, Dongdong Hou, Yujia Liu, Hongyue Zha, and Nenghai Yu. 2019. Detection based defense against adversarial examples from the steganalysis point of view. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4825–4834.Google ScholarCross Ref
- Zihao Liu, Qi Liu, Tao Liu, Nuo Xu, Xue Lin, Yanzhi Wang, and Wujie Wen. 2019. Feature distillation: Dnn-oriented jpeg compression against adversarial examples. In 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 860–868.Google ScholarCross Ref
- Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2017. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083(2017).Google Scholar
- Dongyu Meng and Hao Chen. 2017. Magnet: a two-pronged defense against adversarial examples. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 135–147.Google ScholarDigital Library
- Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574–2582.Google ScholarCross Ref
- Chaithanya Kumar Mummadi, Thomas Brox, and Jan Hendrik Metzen. 2019. Defending against universal perturbations with shared adversarial training. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 4928–4937.Google ScholarCross Ref
- Aamir Mustafa, Salman H Khan, Munawar Hayat, Roland Goecke, Jianbing Shen, and Ling Shao. 2020. Deeply supervised discriminative learning for adversarial defense. IEEE transactions on pattern analysis and machine intelligence 43, 9(2020), 3154–3166.Google Scholar
- Aamir Mustafa, Salman H Khan, Munawar Hayat, Jianbing Shen, and Ling Shao. 2019. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing 29 (2019), 1711–1724.Google ScholarDigital Library
- Tianyu Pang, Chao Du, Yinpeng Dong, and Jun Zhu. 2018. Towards robust detection of adversarial examples. Advances in Neural Information Processing Systems 31 (2018).Google Scholar
- Tianyu Pang, Kun Xu, Chao Du, Ning Chen, and Jun Zhu. 2019. Improving adversarial robustness via promoting ensemble diversity. In International Conference on Machine Learning. PMLR, 4970–4979.Google Scholar
- Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016. The limitations of deep learning in adversarial settings. In 2016 IEEE European symposium on security and privacy (EuroS&P). IEEE, 372–387.Google ScholarCross Ref
- Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP). IEEE, 582–597.Google ScholarCross Ref
- Aaditya Prakash, Nick Moran, Solomon Garber, Antonella DiLillo, and James Storer. 2018. Deflecting adversarial attacks with pixel deflection. In Proceedings of the IEEE conference on computer vision and pattern recognition. 8571–8580.Google ScholarCross Ref
- Han Qiu, Yi Zeng, Qinkai Zheng, Shangwei Guo, Tianwei Zhang, and Hewu Li. 2021. An efficient preprocessing-based approach to mitigate advanced adversarial attacks. IEEE Trans. Comput. (2021).Google ScholarDigital Library
- Edward Raff, Jared Sylvester, Steven Forsyth, and Mark McLean. 2019. Barrage of random transforms for adversarially robust defense. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 6528–6537.Google ScholarCross Ref
- Andrew Ross and Finale Doshi-Velez. 2018. Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 32.Google ScholarCross Ref
- Bita Darvish Rouhani, Mohammad Samragh, Mojan Javaheripi, Tara Javidi, and Farinaz Koushanfar. 2018. Deepfense: Online accelerated defense against adversarial deep learning. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 1–8.Google ScholarDigital Library
- Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-gan: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605(2018).Google Scholar
- Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. Mobilenetv2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 4510–4520.Google ScholarCross Ref
- Shiwei Shen, Guoqing Jin, Ke Gao, and Yongdong Zhang. 2017. Ape-gan: Adversarial perturbation elimination with gan. arXiv preprint arXiv:1707.05474(2017).Google Scholar
- Chuanbiao Song, Kun He, Liwei Wang, and John E Hopcroft. 2018. Improving the generalization of adversarial training with domain adaptation. arXiv preprint arXiv:1810.00740(2018).Google Scholar
- Yang Song, Taesup Kim, Sebastian Nowozin, Stefano Ermon, and Nate Kushman. 2017. Pixeldefend: Leveraging generative models to understand and defend against adversarial examples. arXiv preprint arXiv:1710.10766(2017).Google Scholar
- Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going deeper with convolutions. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1–9.Google ScholarCross Ref
- Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2017. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204(2017).Google Scholar
- Haohan Wang, Xindi Wu, Zeyi Huang, and Eric P Xing. 2020. High-frequency component helps explain the generalization of convolutional neural networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 8684–8694.Google ScholarCross Ref
- Huaxia Wang and Chun-Nam Yu. 2019. A direct approach to robust deep learning using adversarial networks. arXiv preprint arXiv:1905.09591(2019).Google Scholar
- Shangxi Wu, Jitao Sang, Kaiyuan Xu, Jiaming Zhang, Yanfeng Sun, Liping Jing, and Jian Yu. 2018. Attention, please! adversarial defense via attention rectification and preservation. arXiv preprint arXiv:1811.09831(2018).Google Scholar
- Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms. arXiv preprint arXiv:1708.07747(2017).Google Scholar
- Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan Yuille. 2018. Mitigating adversarial effects through randomization (2017). arXiv preprint arXiv:1711.01991(2018).Google Scholar
- Cihang Xie, Jianyu Wang, Zhishuai Zhang, Yuyin Zhou, Lingxi Xie, and Alan Yuille. 2017. Adversarial examples for semantic segmentation and object detection. In Proceedings of the IEEE international conference on computer vision. 1369–1378.Google ScholarCross Ref
- Cihang Xie, Yuxin Wu, Laurens van der Maaten, Alan L Yuille, and Kaiming He. 2019. Feature denoising for improving adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 501–509.Google ScholarCross Ref
- Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, Jianyu Wang, Zhou Ren, and Alan L Yuille. 2019. Improving transferability of adversarial examples with input diversity. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2730–2739.Google ScholarCross Ref
- Jianhe Yuan and Zhihai He. 2020. Adversarial dual network learning with randomized image transform for restoring attacked images. IEEE Access 8(2020), 22617–22624.Google ScholarCross Ref
- Hongyang Zhang, Yaodong Yu, Jiantao Jiao, Eric Xing, Laurent El Ghaoui, and Michael Jordan. 2019. Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning. PMLR, 7472–7482.Google Scholar
- Shudong Zhang, Haichang Gao, and Qingxun Rao. 2021. Defense against adversarial attacks by reconstructing images. IEEE Transactions on Image Processing 30 (2021), 6117–6129.Google ScholarCross Ref
- Haibin Zheng, Jinyin Chen, Hang Du, Weipeng Zhu, Shouling Ji, and Xuhong Zhang. 2021. GRIP-GAN: An Attack-Free Defense through General Robust Inverse Perturbation. IEEE Transactions on Dependable and Secure Computing (2021).Google Scholar
Index Terms
- A Globally-Connected and Trainable Hierarchical Fine-Attention Generative Adversarial Network based Adversarial Defense
Recommendations
Unsupervised Adversarial Perturbation Eliminating via Disentangled Representations
CACRE2019: Proceedings of the 2019 4th International Conference on Automation, Control and Robotics EngineeringAlthough deep neural networks (DNNs) could achieve state-of-the-art performance while recognizing images, they often vulnerable to adversarial examples where input intended to be added the small magnitude perturbations may mislead them to incorrect ...
Pyramidal convolution attention generative adversarial network with data augmentation for image denoising
AbstractGenerative adversarial networks (GANs) have shown remarkable effects for various computer vision tasks. Standard convolution plays an important role in the GAN-based model. However, the single type of kernel with a single spatial size limits the ...
Metric-based Generative Adversarial Network
MM '17: Proceedings of the 25th ACM international conference on MultimediaExisting methods of generative adversarial network (GAN) use different criteria to distinguish between real and fake samples, such as probability [9],energy [44] energy or other losses [30]. In this paper, by employing the merits of deep metric learning,...
Comments