DefenseFea: An Input Transformation Feature Searching Algorithm Based Latent Space for Adversarial Defense

• Autorzy: Pan Zhang , Yangjie Cao , Chenxi Zhu , Yan Zhuang , Haobo Wang , Jie Li

Identyfikatory

DOI

10.2478/fcds-2024-0002

• Języki publikacji: EN

Abstrakty

EN

Deep neural networks based image classification systems could suffer from adversarial attack algorithms, which generate input examples by adding deliberately crafted yet imperceptible noise to original input images. These crafted examples can fool systems and further threaten their security. In this paper, we propose to use latent space protect image classification. Specifically, we train a feature searching network to make up the difference between adversarial examples and clean examples with label guided loss function. We name it DefenseFea (input transformation based defense with label guided loss function), experimental result shows that DefenseFea can improve the rate of adversarial examples that achieved a success rate of about 99% on a specific set of 5000 images from ILSVRC 2012. This study plays a positive role in the further investigation of the relationship between adversarial examples and clean examples.

Słowa kluczowe

EN

adversarial attacks; adversarial defense; latent space; adversarial training

• Wydawca: Wydawnictwo Politechniki Poznańskiej
• Czasopismo: Foundations of Computing and Decision Sciences
• Rocznik: 2024
• Tom: Vol. 49, No. 1
• Strony: 21--36
• Opis fizyczny: Bibliogr. 32 poz., rys., tab.

Twórcy

autor

Pan Zhang

• School of Cyber Science and Engineering Zhengzhou University, Zhengzhou, China

autor

Yangjie Cao

• School of Cyber Science and Engineering Zhengzhou University, Zhengzhou, China

autor

Chenxi Zhu

• School of Cyber Science and Engineering Zhengzhou University, Zhengzhou, China

autor

Yan Zhuang

• School of Cyber Science and Engineering Zhengzhou University, Zhengzhou, China

autor

Haobo Wang

• School of Cyber Science and Engineering Zhengzhou University, Zhengzhou, China

autor

Jie Li

• Department of Computer Science and Engineering, Shanghai Jiaotong University, China

Bibliografia

• [1] Akhtar N., Mian A., Kardan N., et al., Advances in adversarial attacks and defenses in computer vision: A survey, IEEE Access, 9, 2021, 155161-155196.
• [2] Bai Y., Zeng Y., Jiang Y., et al., Improving adversarial robustness via channel-wise activation suppressing, arXiv preprint arXiv, 2021, 2103.08307.
• [3] Byun J., Cho S., Kwon M. J., et al., Improving the transferability of targeted adversarial examples through object-based diverse input, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 15244-15253.
• [4] Carlini N., Wagner D., Towards evaluating the robustness of neural networks, 2017 ieee symposium on security and privacy (sp), 2017, 39-57.
• [5] Chen Z., Li B., Xu J., et al., Towards practical certifiable patch defense with vision transformer, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 15148-15158.
• [6] Dai T., Feng Y., Wu D., et al., DIPDefend: Deep image prior driven defense against adversarial examples, Proceedings of the 28th ACM International Conference on Multimedia, 2020, 1404-1412.
• [7] Das N., Shanbhogue M., Chen S. T., et al., Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression, arXiv preprint arXiv, 2017, 1705.02900.
• [8] Deng Z., Yang X., Xu S., et al., Libre: A practical bayesian approach to adversarial detection, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, 972-982.
• [9] Dong J., Moosavi-Dezfooli S. M., Lai J., et al., The enemy of my enemy is my friend: Exploring inverse adversaries for improving adversarial training, arXiv preprint arXiv, 2022, 2211.00525.
• [10] Goodfellow I. J., Shlens J., Szegedy C., Explaining and harnessing adversarial examples, arXiv preprint arXiv, 2014, 1412.6572.
• [11] He K., Zhang X., Ren S., et al., Deep residual learning for image recognition, Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, 770-778.
• [12] He K., Zhang X., Ren S., et al., Identity mappings in deep residual networks, European conference on computer vision, 2016, 630-645.
• [13] Hu S., Liu X., Zhang Y., et al., Protecting facial privacy: generating adversarial identity masks via style-robust makeup transfer, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 15014-15023.
• [14] Hu Z., Huang S., Zhu X., et al., Adversarial texture for fooling person detectors in the physical world, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 13307-13316.
• [15] Kurakin A., Goodfellow I., Bengio S., Adversarial machine learning at scale, arXiv preprint arXiv, 2016, 1611.01236.
• [16] Li T., Wu Y., Chen S., et al., Subspace adversarial training, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 13409-13418.
• [17] Madry A., Makelov A., Schmidt L., et al., Towards deep learning models resistant to adversarial attacks, arXiv preprint arXiv, 2017, 1706.06083.
• [18] Moosavi-Dezfooli S. M., Fawzi A., Frossard P., Deepfool: a simple and accurate method to fool deep neural networks, Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, 2574-2582.
• [19] Papernot N., McDaniel P., Wu X., et al., Distillation as a defense to adversarial perturbations against deep neural networks, 2016 IEEE symposium on security and privacy (SP), 2016, 582-597.
• [20] Qin Y., Frosst N., Sabour S., et al., Detecting and diagnosing adversarial images with class-conditional capsule reconstructions, arXiv preprint arXiv, 2019, 1907.02957.
• [21] Russakovsky O., Deng J., Su H., et al., Imagenet large scale visual recognition challenge, International journal of computer vision, 115, 3, 2015, 211-252.
• [22] Sato T., Shen J., Wang N., et al., Dirty road can attack: Security of deep learning based automated lane centering under {Physical-World} attack, 30th USENIX Security Symposium (USENIX Security 21), 2021, 3309-3326.
• [23] Suryanto N., Kim Y., Kang H., et al., Dta: Physical camouflage attacks using differentiable transformation network, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 15305-15314.
• [24] Szegedy C., Vanhoucke V., Ioffe S., et al., Rethinking the inception architecture for computer vision, Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, 2818-2826.
• [25] Szegedy C., Zaremba W., Sutskever I., et al., Intriguing properties of neural networks, arXiv preprint arXiv, 2013, 1312.6199.
• [26] Tramèr F., Kurakin A., Papernot N., et al., Ensemble adversarial training: Attacks and defenses, arXiv preprint arXiv, 2017, 1705.07204.
• [27] Wang J., Liu A., Yin Z., et al., Dual attention suppression attack: Generate adversarial camouflage in physical world, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, 8565-8574.
• [28] Xie C., Wu Y., Maaten L., et al., Feature denoising for improving adversarial robustness, Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, 501-509.
• [29] Yan H., Zhang J., Niu G., et al., CIFS: Improving adversarial robustness of cnns via channel-wise importance-based feature selection, International Conference on Machine Learning, PMLR, 2021, 11693-11703.
• [30] Yuan J., He Z., Ensemble generative cleaning with feedback loops for defending adversarial attacks, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, 581-590.
• [31] Zhang T., Zhu Z., Interpreting adversarially trained convolutional neural networks, International Conference on Machine Learning, PMLR, 2019, 7502-7511.
• [32] Zhong Y., Liu X., Zhai D., et al., Shadows can be dangerous: Stealthy and effective physical-world adversarial attack by natural phenomenon, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, 15345-15354.