Yu Yongyi,Chang Meng,Feng Huajun,Xu Zhihai,Li Qi,Chen Yueting

DOI: https://doi.org/10.1117/12.2507518

2018-01-01

Abstract:A generative adversarial network denoising algorithm which uses a combination of three kinds of loss functions was proposed to avoid the loss of image details in the denoising process. The mean square error loss function was used to make the denoising results similar to the original images, the perceptual loss function was used to understand the image semantic information, and the adversarial learning loss function was used to make images more realistic. The algorithm used the deep residual network, the densely connected convolutional network and a wide and shallow network as the component in the replaceable module of the network. The results show that the three networks tested can make images more detailed and have better peak signal to noise ratio while removing image noise. Among them, the wide and shallow network which uses fewer layers, larger convolution kernels and more feature maps achieves the best result.

Chang Meng,Li Qi,Feng Huajun,Xu Zhihai

DOI: https://doi.org/10.1007/978-3-030-58577-8_11

2020-01-01

Abstract:Previous works have shown that convolutional neural networks can achieve good performance in image denoising tasks. However, limited by the local rigid convolutional operation, these methods lead to oversmoothing artifacts. A deeper network structure could alleviate these problems, but at the cost of additional computational overhead. In this paper, we propose a novel spatial-adaptive denoising network (SADNet) for efficient single image blind noise removal. To adapt to changes in spatial textures and edges, we design a residual spatial-adaptive block. Deformable convolution is introduced to sample the spatially related features for weighting. An encoder-decoder structure with a context block is introduced to capture multiscale information. By conducting noise removal from coarse to fine, a high-quality noise-free image is obtained. We apply our method to both synthetic and real noisy image datasets. The experimental results demonstrate that our method outperforms the state-of-the-art denoising methods both quantitatively and visually.

Qian Zheng,Boxin Shi,Xudong Jiang,Ling-Yu Duan,Alex C. Kot

DOI: https://doi.org/10.1109/icip.2019.8803225

2019-01-01

Abstract:This paper presents a novel adversarial scheme to perform image denoising for the tasks of rain streak removal and reflection removal. Similar to several previous works, the proposed method first estimates a prior image and then uses it to guide the inference of noise-free image. The novelty of our approach is to jointly learn the gradient and noise-free image based on an adversarial scheme. More specifically, we use the gradient map as the prior image. The inferred noise-free image guided by an estimated gradient is regarded as a negative sample, while the noise-free image guided by the ground truth of a gradient is taken as a positive sample. With the anchor defined by the ground truth of noise-free image, we play a minmax game to jointly train two optimizers for the estimation of the gradient and the inference of noise-free images. We show that both prior image and noise-free image can be accurately obtained under this adversarial scheme. Our state-of-the-art performance achieved on two public benchmark datasets validate the effectiveness of our approach.

Dan Zhang,Lei Zhao,Duanqing Xu,Dongming Lu

DOI: https://doi.org/10.1109/compcomm.2017.8322862

2017-01-01

Abstract:Low-light image denoising has been a hotspot for its great importance in solving vision applications, and various solutions have been proposed. In recent years, neural network has shown great potential in single image denoising. However, lacking ground truth data, most existing neural network based methods only train on images synthesized by Gaussian noise or Poisson noise or mixed Poisson-Gaussian noise rather than realistic low-light images. In this paper, we introduce a novel convolutional neural network based model for low-light image denoising. In particular, we also present a method to collecting realistic low-light images and our neural network model is trained on the obtained dataset. Evaluating experiment results by the subjective visual observation as well as the objective quality measures shows that the proposed neural network based method is comparable to state-of-the-art.

Chai Xiuli,Wei Tongtong,Chen Zhen,He Xin,Gan Zhihua,Wu Xiangjun

DOI: https://doi.org/10.1007/s10489-022-03847-z

IF: 5.3

2022-01-01

Applied Intelligence

Abstract:Deep neural networks (DNNs) are prone to produce incorrect prediction results under the attack of adversarial samples. To cope with this problem, some defense methods are presented. However, most of them are based on adversarial training, which has great computational consumption and does not start from strengthening the architecture of the network model itself to resist the adversarial attack. Recent studies have shown that feature denoising can remove the adversarial perturbations in the adversarial samples. In this paper, we propose a lightweight denoising network with residual connection (LDN-RC), on which the internal denoising block and the intermediate denoising block are introduced for feature denoising and sample denoising, respectively; the two denoising blocks are combined in the network model, which can withstand the interference of the adversarial perturbations in the adversarial samples to a large extent and also save computational resources. In the training strategy, a two-stage denoising approach and fine-tuning are presented to train the RESNET network model on MNIST, CIFAR-10, and SVHN datasets, and the accuracy of the enhanced network model exceeds 60% on all three datasets under the $${L}_{\infty }$$ -PGD white-box attack, which demonstrate that LDN-RC can effectively improve the adversarial robustness of the network model.

Cihang Xie,Yuxin Wu,Laurens van der Maaten,Alan Yuille,Kaiming He

2019-03-26

Abstract:Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9% accuracy, our method achieves 55.7%; even under extreme 2000-iteration PGD white-box attacks, our method secures 42.6% accuracy. Our method was ranked first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 --- it achieved 50.6% classification accuracy on a secret, ImageNet-like test dataset against 48 unknown attackers, surpassing the runner-up approach by ~10%. Code is available at <a class="link-external link-https" href="https://github.com/facebookresearch/ImageNet-Adversarial-Training" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Xuehu Liu,Zhixi Feng,Yue Ma,Shuyuan Yang,Zhihao Chang,Licheng Jiao

DOI: https://doi.org/10.1109/tgrs.2024.3412790

IF: 8.2

2024-06-21

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Deep learning models (algorithms) have demonstrated their superior performance in interpreting Earth science and remote sensing data. However, adversarial examples generated with perturbations imperceptible to humans could render deep learning algorithms ineffective. This significant vulnerability of deep learning models, thus, inspires the exploration of defense methods resistible to adversarial examples. Although numerous countermeasures against adversarial examples have been proposed, the design of a universally applicable defense method across multiple scenarios still remains to be explored. In this study, we propose an effective denoising diffusion-based defense restore network (D3R-Net) based on the denoising diffusion model from the perspective of adversarial restoration, which transforms the adversarial examples into clean samples. Utilizing a highly effective denoising diffusion probabilistic model (DDPM), our D3R-Net transforms input adversarial examples into a state of noise, where diverse forms of adversarial noise transition into Gaussian noise. Subsequently, it captures semantic information through a series of iterative denoising steps. The pixel distribution of adversarial examples is restored in the proposed network to match the original distribution, enabling the classifier to identify adversarial examples correctly. Furthermore, we introduce a combined filtering module to preserve the semantic information of the original image, thereby further enhancing the defensive performance. Instead of modifying the model structure or excluding suspected samples, the proposed method restores the adversarial examples, making it simple yet effective and applicable to a broader range of scenarios. Extensive experiments are conducted on four benchmark datasets, and the results demonstrate that D3R-Net has significant defense capabilities against known and unknown attacks. Our source code is available at https://github.com/SIM-xidian/D3R-Net.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Fangzhou Liao,Ming Liang,Yinpeng Dong,Tianyu Pang,Xiaolin Hu,Jun Zhu

DOI: https://doi.org/10.1109/cvpr.2018.00191

2018-01-01

Abstract:Neural networks are vulnerable to adversarial examples, which poses a threat to their application in security sensitive systems. We propose high-level representation guided denoiser (HGD) as a defense for image classification. Standard denoiser suffers from the error amplification effect, in which small residual adversarial noise is progressively amplified and leads to wrong classifications. HGD overcomes this problem by using a loss function defined as the difference between the target model's outputs activated by the clean image and denoised image. Compared with ensemble adversarial training which is the state-of-the-art defending method on large images, HGD has three advantages. First, with HGD as a defense, the target model is more robust to either white-box or black-box adversarial attacks. Second, HGD can be trained on a small subset of the images and generalizes well to other images and unseen classes. Third, HGD can be transferred to defend models other than the one guiding it. In NIPS competition on defense against adversarial attacks, our HGD solution won the first place and outperformed other models by a large margin.

Lu, Fang,Wang, Bin,Zhou, Boyang

DOI: https://doi.org/10.1007/s10489-023-05253-5

IF: 5.3

2024-01-14

Applied Intelligence

Abstract:Recent studies have shown that deep neural networks (DNNs) are vulnerable to adversarial examples (AEs). Denoising based on the input pre-processing is one of the defenses against adversarial attacks. However, it is hard to remove multiple adversarial perturbations, especially in the presence of evolving attacks. To address this challenge, we attempt to extract the commonality of adversarial perturbations. Due to the imperceptibility of adversarial perturbations in the input space, we conduct the extraction in the deep feature space where the perturbations become more apparent. Through the obtained common characteristics, we craft common adversarial examples (CAEs) to train the denoiser. Furthermore, to prevent image distortion while removing as much of the adversarial perturbation as possible, we propose a hybrid loss function that guides the training process at both the pixel level and the deep feature space. Our experiments show that our defense method can eliminate multiple adversarial perturbations, significantly enhancing adversarial robustness compared to previous state-of-the-art methods. Moreover, it can be plug-and-play for various classification models, which demonstrates the generalizability of our defense method.

computer science, artificial intelligence

Sandhya Aneja,Nagender Aneja,Pg Emeroylariffion Abas,Abdul Ghani Naim

DOI: https://doi.org/10.11591/ijai.v11.i3.pp961-968

2022-06-26

Abstract:Despite substantial advances in network architecture performance, the susceptibility of adversarial attacks makes deep learning challenging to implement in safety-critical applications. This paper proposes a data-centric approach to addressing this problem. A nonlocal denoising method with different luminance values has been used to generate adversarial examples from the Modified National Institute of Standards and Technology database (MNIST) and Canadian Institute for Advanced Research (CIFAR-10) data sets. Under perturbation, the method provided absolute accuracy improvements of up to 9.3% in the MNIST data set and 13% in the CIFAR-10 data set. Training using transformed images with higher luminance values increases the robustness of the classifier. We have shown that transfer learning is disadvantageous for adversarial machine learning. The results indicate that simple adversarial examples can improve resilience and make deep learning easier to apply in various applications.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Han Zhang,Xin Zhang,Yuan Sun,Lixia Ji

DOI: https://doi.org/10.1016/j.imavis.2024.105238

IF: 3.86

2024-08-26

Image and Vision Computing

Abstract:Deep learning models are highly vulnerable to adversarial examples, leading to significant attention on techniques for detecting them. However, current methods primarily rely on detecting image features for identifying adversarial examples, often failing to address the diverse types and intensities of such examples. We propose a novel adversarial example detection method based on perturbation estimation and denoising to overcome this limitation. We develop an autoencoder to predict the latent adversarial perturbations of samples and select appropriately sized noise based on these predictions to cover the perturbations. Subsequently, we employ a non-blind denoising autoencoder to remove noise and residual perturbations effectively. This approach allows us to eliminate adversarial perturbations while preserving the original information, thus altering the prediction results of adversarial examples without affecting predictions on benign samples. Inconsistencies in predictions before and after processing by the model identify adversarial examples. Our experiments on datasets such as MNIST, CIFAR-10, and ImageNet demonstrate that our method surpasses other advanced detection methods in accuracy.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics

Rachel Sterneck,Abhishek Moitra,Priyadarshini Panda

DOI: https://doi.org/10.1109/TCAD.2021.3091436

2021-07-04

Abstract:Neural networks have achieved remarkable performance in computer vision, however they are vulnerable to adversarial examples. Adversarial examples are inputs that have been carefully perturbed to fool classifier networks, while appearing unchanged to humans. Based on prior works on detecting adversaries, we propose a structured methodology of augmenting a deep neural network (DNN) with a detector subnetwork. We use $\textit{Adversarial Noise Sensitivity}$ (ANS), a novel metric for measuring the adversarial gradient contribution of different intermediate layers of a network. Based on the ANS value, we append a detector to the most sensitive layer. In prior works, more complex detectors were added to a DNN, increasing the inference computational cost of the model. In contrast, our structured and strategic addition of a detector to a DNN reduces the complexity of the model while making the overall network adversarially resilient. Through comprehensive white-box and black-box experiments on MNIST, CIFAR-10, and CIFAR-100, we show that our method improves state-of-the-art detector robustness against adversarial examples. Furthermore, we validate the energy efficiency of our proposed adversarial detection methodology through an extensive energy analysis on various hardware scalable CMOS accelerator platforms. We also demonstrate the effects of quantization on our detector-appended networks.

Computer Vision and Pattern Recognition

Gwonsang Ryu,Daeseon Choi

DOI: https://doi.org/10.1007/s10489-022-03991-6

IF: 5.3

2022-08-06

Applied Intelligence

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial attacks that generate adversarial examples by adding small perturbations to the clean images. To combat adversarial attacks, the two main defense methods used are denoising and adversarial training. However, both methods result in the DNN having lower classification accuracy for clean images than conventionally trained DNN models. To overcome this problem, we propose a hybrid adversarial training (HAT) method that trains the denoising network and DNN model simultaneously. The proposed HAT method uses both clean images and adversarial examples denoised by the denoising network and non-denoised clean images and adversarial examples to train the DNN model. The results of experiments conducted on the MNIST, CIFAR-10, CIFAR-100, and GTSRB datasets show that the HAT method results in a higher classification accuracy than both conventional training with a denoising network and previous adversarial training methods. They also indicate that training with the HAT method results in average improvements in robustness of 0.84%, 27.33%, 28.99%, and 17.61% against adversarial attacks compared with several state-of-the-art adversarial training methods on the MNIST, CIFAR-10, CIFAR-100, and GTSRB datasets, respectively. Thus, the proposed HAT method results in improved robustness for DNNs against a wider range of adversarial attacks.

computer science, artificial intelligence

Jie Ning,Jiebao Sun,Yao Li,Zhichang Guo,Wangmeng Zuo

2023-07-07

Abstract:Deep neural networks (DNNs) have shown superior performance comparing to traditional image denoising algorithms. However, DNNs are inevitably vulnerable while facing adversarial attacks. In this paper, we propose an adversarial attack method named denoising-PGD which can successfully attack all the current deep denoising models while keep the noise distribution almost unchanged. We surprisingly find that the current mainstream non-blind denoising models (DnCNN, FFDNet, ECNDNet, BRDNet), blind denoising models (DnCNN-B, Noise2Noise, RDDCNN-B, FAN), plug-and-play (DPIR, CurvPnP) and unfolding denoising models (DeamNet) almost share the same adversarial sample set on both grayscale and color images, respectively. Shared adversarial sample set indicates that all these models are similar in term of local behaviors at the neighborhood of all the test samples. Thus, we further propose an indicator to measure the local similarity of models, called robustness similitude. Non-blind denoising models are found to have high robustness similitude across each other, while hybrid-driven models are also found to have high robustness similitude with pure data-driven non-blind denoising models. According to our robustness assessment, data-driven non-blind denoising models are the most robust. We use adversarial training to complement the vulnerability to adversarial attacks. Moreover, the model-driven image denoising BM3D shows resistance on adversarial attacks.

Computer Vision and Pattern Recognition,Machine Learning,Image and Video Processing

Chunwei Tian,Yong Xu,Zuoyong Li,Wangmeng Zuo,Lunke Fei,Hong Liu

DOI: https://doi.org/10.1016/j.neunet.2019.12.024

IF: 7.8

2020-04-01

Neural Networks

Abstract:Deep convolutional neural networks (CNNs) have attracted considerable interest in low-level computer vision. Researches are usually devoted to improving the performance via very deep CNNs. However, as the depth increases, influences of the shallow layers on deep layers are weakened. Inspired by the fact, we propose an attention-guided denoising convolutional neural network (ADNet), mainly including a sparse block (SB), a feature enhancement block (FEB), an attention block (AB) and a reconstruction block (RB) for image denoising. Specifically, the SB makes a tradeoff between performance and efficiency by using dilated and common convolutions to remove the noise. The FEB integrates global and local features information via a long path to enhance the expressive ability of the denoising model. The AB is used to finely extract the noise information hidden in the complex background, which is very effective for complex noisy images, especially real noisy images and bind denoising. Also, the FEB is integrated with the AB to improve the efficiency and reduce the complexity for training a denoising model. Finally, a RB aims to construct the clean image through the obtained noise mapping and the given noisy image. Additionally, comprehensive experiments show that the proposed ADNet performs very well in three tasks (i.e. synthetic and real noisy images, and blind denoising) in terms of both quantitative and qualitative evaluations. The code of ADNet is accessible at http://www.yongxu.org/lunwen.html.

computer science, artificial intelligence,neurosciences

Anouar Kherchouche,Sid Ahmed Fezza,Wassim Hamidouche

DOI: https://doi.org/10.1007/s00521-021-06330-x

2021-07-21

Neural Computing and Applications

Abstract:Despite the enormous performance of deep neural networks (DNNs), recent studies have shown their vulnerability to adversarial examples (AEs), i.e., carefully perturbed inputs designed to fool the targeted DNN. Currently, the literature is rich with many effective attacks to craft such AEs. Meanwhile, many defense strategies have been developed to mitigate this vulnerability. However, these latter showed their effectiveness against specific attacks and does not generalize well to different attacks. In this paper, we propose a framework for defending DNN classifier against adversarial samples. The proposed method is based on a two-stage framework involving a separate detector and a denoising block. The detector aims to detect AEs by characterizing them through the use of natural scene statistic (NSS), where we demonstrate that these statistical features are altered by the presence of adversarial perturbations. The denoiser is based on block matching 3D (BM3D) filter fed by an optimum threshold value estimated by a convolutional neural network (CNN) to project back the samples detected as AEs into their data manifold. We conducted a complete evaluation on three standard datasets, namely MNIST, CIFAR-10 and Tiny-ImageNet. The experimental results show that the proposed defense method outperforms the state-of-the-art defense techniques by improving the robustness against a set of attacks under black-box, gray-box and white-box settings. The source code is available at: https://github.com/kherchouche-anouar/2DAE.

computer science, artificial intelligence

Yupeng Cheng,Qing Guo,Felix Juefei-Xu,Shang-Wei Lin,Wei Feng,Weisi Lin,Yang Liu,Shang-wei Lin

DOI: https://doi.org/10.1109/tmm.2021.3108009

IF: 7.3

2021-01-01

IEEE Transactions on Multimedia

Abstract:Image denoising can remove natural noise that widely exists in images captured by multimedia devices due to low-quality imaging sensors, unstable image transmission processes, or low light conditions. Recent works also find that image denoising benefits the high-level vision tasks, e.g., image classification. In this work, we try to challenge this common sense and explore a totally new problem, i.e., whether the image denoising can be given the capability of fooling the state-of-the-art deep neural networks (DNNs) while enhancing the image quality. To this end, we initiate the very first attempt to study this problem from the perspective of adversarial attack and propose the adversarial denoise attack. More specifically, our main contributions are three-fold: First, we identify a new task that stealthily embeds attacks inside the image denoising module widely deployed in multimedia devices as an image post-processing operation to simultaneously enhance the visual image quality and fool DNNs. Second, we formulate this new task as a kernel prediction problem for image filtering and propose the adversarial-denoising kernel prediction that can produce adversarial-noiseless kernels for effective denoising and adversarial attacking simultaneously. Third, we implement an adaptive perceptual region localization to identify semantic-related vulnerability regions with which the attack can be more effective while not doing too much harm to the denoising. We name the proposed method as Pasadena (Perceptually Aware and Stealthy Adversarial DENoise Attack) and validate our method on the NeurIPS'17 adversarial competition dataset, CVPR2021-AIC-VI: unrestricted adversarial attacks on ImageNet, and Tiny-ImageNet-C dataset. The comprehensive evaluation and analysis demonstrate that our method not only realizes den-ising but also achieves a significantly higher success rate and transferability over state-of-the-art attacks.

computer science, information systems,telecommunications, software engineering

Seunghwan Jung,Minyoung Chung,Yeong-Gil Shin

DOI: https://doi.org/10.1007/s11042-023-14608-6

IF: 2.577

2023-02-17

Multimedia Tools and Applications

Abstract:Recent advances in deep neural network (DNN) techniques have increased the importance of security and robustness of algorithms where DNNs are applied. However, several studies have demonstrated that neural networks are vulnerable to adversarial examples, which are generated by adding crafted adversarial noises to the input images. Because the adversarial noises are typically imperceptible to the human eye, it is difficult to defend DNNs. One method of defense is the detection of adversarial examples by analyzing characteristics of input images. Recent studies have used the hidden layer outputs of the target classifier to improve the robustness but need to access the target classifier. Moreover, there is no post-processing step for the detected adversarial examples. They simply discard the detected adversarial images. To resolve this problem, we propose a novel detection-based method, which predicts the adversarial noise and detects the adversarial example based on the predicted noise without any target classification information. We first generated adversarial examples and adversarial noises, which can be obtained from the residual between the original and adversarial example images. Subsequently, we trained the proposed adversarial noise predictor to estimate the adversarial noise image and trained the adversarial detector using the input images and the predicted noises. The proposed framework has the advantage that it is agnostic to the input image modality. Moreover, the predicted noises can be used to reconstruct the detected adversarial examples as the non-adversarial images instead of discarding the detected adversarial examples. We tested our proposed method against the fast gradient sign method (FGSM), basic iterative method (BIM), projected gradient descent (PGD), Deepfool, and Carlini & Wagner adversarial attack methods on the CIFAR-10 and CIFAR-100 datasets provided by the Canadian Institute for Advanced Research (CIFAR). Our method demonstrated significant improvements in detection accuracy when compared to the state-of-the-art methods and resolved the wastage problem of the detected adversarial examples. The proposed method agnostic to the input image modality demonstrated that the noise predictor successfully captured noise in the Fourier domain and improved the performance of the detection task. Moreover, we resolved the post-processing problem of the detected adversarial examples with the reconstruction process using the predicted noise.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Zongsheng Yue,Qian Zhao,Lei Zhang,Deyu Meng

DOI: https://doi.org/10.48550/arXiv.2007.05946

2020-07-12

Computer Vision and Pattern Recognition

Abstract:Real-world image noise removal is a long-standing yet very challenging task in computer vision. The success of deep neural network in denoising stimulates the research of noise generation, aiming at synthesizing more clean-noisy image pairs to facilitate the training of deep denoisers. In this work, we propose a novel unified framework to simultaneously deal with the noise removal and noise generation tasks. Instead of only inferring the posteriori distribution of the latent clean image conditioned on the observed noisy image in traditional MAP framework, our proposed method learns the joint distribution of the clean-noisy image pairs. Specifically, we approximate the joint distribution with two different factorized forms, which can be formulated as a denoiser mapping the noisy image to the clean one and a generator mapping the clean image to the noisy one. The learned joint distribution implicitly contains all the information between the noisy and clean images, avoiding the necessity of manually designing the image priors and noise assumptions as traditional. Besides, the performance of our denoiser can be further improved by augmenting the original training dataset with the learned generator. Moreover, we propose two metrics to assess the quality of the generated noisy image, for which, to the best of our knowledge, such metrics are firstly proposed along this research line. Extensive experiments have been conducted to demonstrate the superiority of our method over the state-of-the-arts both in the real noise removal and generation tasks. The training and testing code is available at https://github.com/zsyOAOA/DANet.

Wang Weidong,Li Zhi,Liu Shuaiwei,Zhang Li,Yang Jin,Wang Yi

DOI: https://doi.org/10.1016/j.imavis.2024.104931

IF: 3.86

2024-02-20

Image and Vision Computing

Abstract:Recently, it was found that deep neural networks (DNNs) are susceptible to adversarial input perturbations. Most defense strategies adopt the denoising method based on preprocessing, which mitigates the impacts of adversarial perturbations on DNNs by learning the distributions of nonadversarial datasets and projecting adversarial inputs into the learned nonadversarial manifolds. However, existing defense strategies commonly focus on reconstructing clean images while ignoring the role of adversarial perturbations, which results in the reconstructed images failing to achieve the visual quality and classification accuracy of the original clean images, and the induced adversarial robustness improvement is limited. This paper proposes a feature decoupling-interaction network (FDIN), which introduces the concepts of clean features and adversarial features to separate the two kinds of features from the input adversarial examples (AEs) in a feature decoupling-interaction manner. The clean features are used to reconstruct the input image so that it is infinitely close to the original clean image, and the adversarial features are used to reconstruct the adversarial perturbations. Adversarial perturbations are removed from the adversarial examples across multiple cross cycles to improve further the reconstructed image's visual quality and classification accuracy. The features of the original clean image are used as prior knowledge to guide the network to learn the clean features of the adversarial examples and improve the classification accuracy of the model on the clean examples. In addition, a classification loss function based on the Carlini & Wagner (CW) attack algorithm is used instead of the conventional cross-entropy loss function to improve the adversarial robustness of the FDIN. The experimental results show that the proposed method achieves better defense performance than the current state-of-the-art methods on both standard tests and various attack tests and even exceeds the test accuracy of the target classifier on the original test set.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics