Top

Soft Computing

Published in:

17-03-2023 | Data analytics and machine learning

Detecting adversarial examples using image reconstruction differences

Authors: Jiaze Sun, Meng Yi

Published in: Soft Computing | Issue 12/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The adversarial examples (AEs) cause misjudgments and damage the robustness of the DNNs systems. Previous studies have defended against AEs by detecting, but it is challenging to ensure a stable and high performance of detecting AEs, while with a poor false detection. To this end, an AEs detection method named image reconstruction differences (IRD) is proposed to enhance the robustness of DNNs. Firstly, we use an end-to-end Com-Rec network to reconstruct examples with feature compression to expand the distinguishing features. Secondly, propose an image reconstruction differences based on information-theoretic VIF, structural information UQI and spectral information RASE composition to discriminate AEs. Moreover, we introduce the idea of integrated learning to form a strong random forest binary classifier to enhance the performance of detecting AEs. We further validate it through extensive experiments on the MNIST and CIFAR-10 datasets. These experiments demonstrated that the IRD effectively detected AEs and achieved a high average accuracy of 98.33%. Specifically it also performs favorably against the following methods based on Feature Squeezing, Local Intrinsic Dimensionality, Kernel Density and Network Invariance Checking with an average detection rate of 99.54% and a 1.44% average false positive rate.

previous article Intelligent multi-level analytics of soft computing approach to predict water quality index (IM12CP-WQI)

next article Target recognition with fusion of visible and infrared images based on mutual learning

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Aldahdooh A, Hamidouche W, Fezza SA et al (2022) Adversarial example detection for DNN models: a review and experimental comparison. Artif Intell Rev. https://doi.org/10.1007/s10462-021-10125-wCrossRef

Breiman L (2001) Random forests. Mach Learn 45(1):5–32. https://doi.org/10.1023/A:1010933404324CrossRefMATH

Chandra MA, Bedi SS (2021) Survey on SVM and their application in image classification. Int J Inf Technol 13(5):1–11. https://doi.org/10.1007/s41870-017-0080-1CrossRef

Dziugaite GK, Ghahramani Z, Roy DM (2016a) A study of the effect of jpg compression on adversarial images. arXiv preprint arXiv:1608.00853. https://doi.org/10.48550/arXiv.1608.00853

Feinman R, Curtin RR, Shintre S et al (2017a) Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410. https://doi.org/10.48550/arXiv.1703.00410

Gong Z, Wang W, Ku WS (2017) Adversarial and clean data are not twins. arXiv preprint arXiv:1704.04960. https://doi.org/10.48550/arXiv.1704.04960

González-Audícana M, Saleta JL, Catalán RG et al (2014) Fusion of multispectral and panchromatic images using improved IHS and PCA mergers based on wavelet decomposition. IEEE Trans Geosci Remote Sens 42(6):1291–1299. https://doi.org/10.1109/TGRS.2004.825593CrossRef

Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. Computer Science. arXiv preprint arXiv:1412.6572. https://doi.org/10.48550/arXiv.1412.6572

Metzen JH, Genewein T, Fischer V et al (2017b) On detecting adversarial perturbations. In: international conference on learning representations (ICLR), pp 24–26. https://doi.org/10.48550/arXiv.1702.04267

Jia X, Wei X, Cao X et al (2019) Comdefend: an efficient image compression model to defend adversarial examples. In: IEEE/CVF conference on computer vision and pattern recognition, pp 6084–6092. https://doi.org/10.48550/arXiv.1811.12673

Jin G, Shen S, Zhang D et al (2019a) Ape-gan: adversarial perturbation elimination with gan. In: IEEE international conference on acoustics, speech and signal processing (ICASSP). IEEE, pp 3842–3846. https://doi.org/10.1109/ICASSP.2019.8683044

Krizhevsky A and Hinton G (2009) Learning multiple layers of features from tiny images. Handb Syst Autoimmune Dis, doi: 10.1.1.222.9220

Kurakin A, Goodfellow IJ, Bengio S (2018) Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533. https://doi.org/10.48550/arXiv.1607.0253

LeCun Y, Bottou L, Bengio Y et al (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324. https://doi.org/10.1109/5.726791CrossRef

Lin G, Lin A, Gu D (2022) Using support vector regression and K-nearest neighbors for short-term traffic flow prediction based on maximal information coefficient. Inf Sci 608:517–531. https://doi.org/10.1016/j.ins.2022.06.090CrossRef

Liu Q, Yuan D, Fan N et al (2022) Learning dual-level deep representation for thermal infrared tracking. IEEE Trans Multimedia. https://doi.org/10.1109/TMM.2022.3140929CrossRef

Lu J, Issaranon T, and Forsyth D (2017) Safetynet: detecting and rejecting adversarial examples robustly. In: IEEE international conference on computer vision, pp 446–454. https://doi.org/10.1109/ICCV.2017.56

Ma X, et al (2018a) Characterizing adversarial subspaces using local intrinsic dimensionality. In: 6th international conference on learning representations. ICLR, pp 1–15. https://doi.org/10.48550/arXiv.1801.02613

Ma S and Liu Y (2019c) Nic: detecting adversarial samples with neural network invariant checking. In: the 26th network and distributed system security symposium, pp 2–25. https://doi.org/10.14722/ndss.2019.23415

Mądry A, Makelov A, Schmidt L et al (2017) Towards deep learning models resistant to adversarial attacks. stat 1050, 9. https://doi.org/10.48550/arXiv.1706.06083

Moosavi-Dezfooli SM et al (2016) DeepFool: a simple and accurate method to fool deep neural networks. In: IEEE conference on computer vision and pattern recognition, pp 2574–2582. https://doi.org/10.1109/CVPR.2016.282

Noble WS (2006) What is a support vector machine? Nat Biotechnol 4(12):1565–1567. https://doi.org/10.1038/nbt1206-1565CrossRef

Pandey B, Pandey DK, Mishra BP et al (2021) A comprehensive survey of deep learning in the field of medical imaging and medical natural language processing: challenges and research directions. J King Saud Univ-Comput Inf Sci. https://doi.org/10.1016/j.jksuci.2021.01.007CrossRef

Papernot N, McDaniel P, Wu X et al (2016b) Distillation as a defense to adversarial perturbations against deep neural networks. In: IEEE symposium on security and privacy, pp 582–597. https://doi.org/10.1109/SP.2016.41

Pintor M, Roli F, Brendel W et al (2021) Fast minimum-norm adversarial attacks through adaptive norm constraints. Adv Neural Inf Process Syst. https://doi.org/10.48550/arXiv.2102.12827CrossRef

Rauber J, Brendel W, Bethge M (2017d) Foolbox: a python toolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131. https://doi.org/10.48550/arXiv.1707.04131

Ren H, Huang T, Yan H (2021) Adversarial examples: attacks and defenses in the physical world. Int J Mach Learn Cybern 12:3325–3336. https://doi.org/10.1007/s13042-020-01242-zCrossRef

Rony J, Hafemann LG, Oliveira LS et al (2019b) Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses. In: IEEE/CVF conference on computer vision and pattern recognition, pp 4322–4330. https://doi.org/10.1109/CVPR.2019.00445

Ross A, and DoshiVelez F (2018b) Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: AAAI conference on artificial intelligence, pp 1660–1669. https://ojs.aaai.org/index.php/AA AI/article/view/11504

Samangouei P, Kabkab M, Chellappa R (2018) Defense-gan: protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605. https://doi.org/10.48550/arXiv.1805.06605

Schlett T, Rathgeb C, Henniger O et al (2022) Face image quality assessment: a literature survey. ACM Comput Surv (CSUR) 54(10s):1–49. https://doi.org/10.1145/3507901CrossRef

Shao M, Liu S, Wang R et al (2021) An Adversarial sample defense method based on multiscale GAN. Int J Mach Learn Cybern 6433:1–11. https://doi.org/10.1007/s13042-021-01374-wCrossRef

Sheikh HR, Bovik AC (2006) Image information and visual quality. IEEE Trans Image Process 15(2):430–444. https://doi.org/10.1109/TIP.2005.859378CrossRef

Song YY, Ying LU (2015) Decision tree methods: applications for classification and prediction. Shanghai Arch Psychiatry 27(2):130. https://doi.org/10.11919/j.issn.1002-0829.215044CrossRef

Sun J, Li J, Wen S (2022a) DeepMC: DNN test sample optimization method jointly guided by misclassification and coverage. Appl Intell. https://doi.org/10.1007/s10489-022-04323-4CrossRef

Sun J, Deng J, Li Y et al (2022b) A BCS-GDE multi-objective optimization algorithm for combined cooling, heating and power model with decision strategies. Appl Therm Eng 213:118685. https://doi.org/10.1016/j.applthermaleng.2022.118685CrossRef

Szegedy C, Zaremba W, Sutskever I et al (2014) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199. https://doi.org/10.48550/arXiv.1312.6199

Tramèr F, Kurakin A, Papernot N et al (2018) Ensemble adversarial training: attacks and defenses. In: 6th international conference on learning representations, pp 2–7. https://doi.org/10.48550/arXiv.1705.07204

Wang Z, Bovik AC (2002) A universal image quality index. IEEE Signal Process Lett 9(3):81–84. https://doi.org/10.1109/97.995823CrossRef

Wang X, Zhao Y, Pourpanah F (2020) Recent advances in deep learning. Int J Mach Learn Cybern 11:747–750. https://doi.org/10.1007/s13042-020-01096-5CrossRef

Wang C, Wang X, Zhang J et al (2022a) Uncertainty estimation for stereo matching based on evidential deep learning. Pattern Recognit 124:108498. https://doi.org/10.1016/j.patcog.2021.108498CrossRef

Wang C, Ning X, Sun L et al (2022b) Learning discriminative features by covering local geometric space for point cloud analysis. IEEE Trans Geosci Remote Sens 60:1–15. https://doi.org/10.1109/TGRS.2022.3170493CrossRef

Xu W, Evans D, and Qi Y (2018c) Feature squeezing: detecting adversarial examples in deep neural networks. In: 2018c network and distributed system security symposium, pp 2–25. https://doi.org/10.14722/ndss.2018.23210

Xie C, Wang J, Zhang Z, et al (2017e) Adversarial examples for semantic segmentation and object detection. In: IEEE international conference on computer vision, pp 1369–1378. https://doi.org/10.1109/iccv.2017.153

Xu H, Ma Y, Liu HC et al (2020) Adversarial attacks and defenses in images, graphs and text: a review. Int J Autom Comput 17(2):151–178. https://doi.org/10.1007/s11633-019-1211-xCrossRef

Xu L, Xie J, Cai F, Wu J et al (2021) Spectral classification based on deep learning algorithms. Electronics 10(16):1892. https://doi.org/10.3390/electronics10161892CrossRef

Yang K, He Z, Pei W et al (2021) Siamese corner networks for visual tracking. IEEE Trans Multimedia 24:1956–1967. https://doi.org/10.1109/TMM.2021.3074239CrossRef

Yuan D, Chang X, Huang PY et al (2020) Self-supervised deep correlation tracking. IEEE Trans Image Process 30:976–985. https://doi.org/10.1109/TIP.2020.3037518CrossRef

Yuan D, Chang X, Li Z et al (2022) Learning adaptive spatial-temporal context-aware correlation filters for UAV tracking. ACM Trans Multimedia Comput, Commun, Appl (TOMM) 18(3):1–18. https://doi.org/10.1145/3486678CrossRef

Zhang Y, Park DS, Han W et al (2022) Bigssl: exploring the frontier of large-scale semi-supervised learning for automatic speech recognition. IEEE J Sel Top Signal Process 16(6):1519–1532. https://doi.org/10.1109/JSTSP.2022.3182537CrossRef

Zhao H, Sun X, Dong J et al (2022) Dual discriminator adversarial distillation for data-free model compression. Int J Mach Learn Cybern 13:1213–1230. https://doi.org/10.1007/s13042-021-01443-0CrossRef

Zhao Y, Shi Y, Wang Z (2022) The improved YOLOV5 algorithm and its application in small target detection. In: international conference on intelligent robotics and applications, pp 679–688. https://doi.org/10.1007/978-3-031-13841-6_61

Title: Detecting adversarial examples using image reconstruction differences
Authors: Jiaze Sun
Meng Yi
Publication date: 17-03-2023
Publisher: Springer Berlin Heidelberg
Published in: Soft Computing / Issue 12/2023
Print ISSN: 1432-7643
Electronic ISSN: 1433-7479
DOI: https://doi.org/10.1007/s00500-023-07961-z

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 12/2023

Target recognition with fusion of visible and infrared images based on mutual learning

Design and development of big data-based model for detecting fraud in healthcare insurance industry

Local fuzzy rough set model over two universes and its reduction

Development of English translation online teaching system and service function improvement based on image segmentation algorithm

Uncertainty estimation-based adversarial attacks: a viable approach for graph neural networks

Deep learning techniques for prediction of pneumonia from lung CT images

Premium Partner