Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Guanlin Li,Guowen Xu,Han Qiu,Ruan He,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1007/978-3-031-19772-7_39

2022-01-01

Abstract:3D point cloud classification models based on deep neural networks were proven to be vulnerable to adversarial examples, with a quantity of novel attack techniques proposed by researchers recently. It is of paramount importance to preserve the robustness of 3D models under adversarial environments, considering their broad application in safety- and security-critical tasks. Unfortunately, existing defenses are not general enough to satisfactorily mitigate all types of attacks. In this paper, we design two innovative methodologies to improve the adversarial robustness of 3D point cloud classification models. (1) We introduce CCN, a novel point cloud architecture which can smooth and disrupt the adversarial perturbations. (2) We propose AMS, a novel data augmentation strategy to adaptively balance the model usability and robustness. Extensive evaluations indicate the integration of the two techniques provides much more robustness than existing defense solutions for 3D classification models.

Huafeng Kuang,Hong Liu,Xianming Lin,Rongrong Ji

DOI: https://doi.org/10.1109/tifs.2024.3359820

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Recent works have indicated that deep neural networks (DNNs) are vulnerable to adversarial attacks, wherein an attacker perturbs an input example with human-imperceptible noise that can easily fool the DNNs, resulting in incorrect predictions. This severely limits the application of deep learning in security-critical scenarios, such as face authentication. Adversarial training (AT) is one of the most practical approaches to strengthening the robustness of DNNs. However, existing AT-based methods treat each training sample independently, thereby ignoring the underlying topological structure in the training data. To this end, in this paper, we take full advantage of the topology information and introduce a Topology Aligning Adversarial Training (TAAT) algorithm. TAAT aims to encourage the trained model to maintain consistency in the topological structure within the feature space of both natural and adversarial examples. To ensure the stability and efficiency of topology alignment, we further introduce a novel Knowledge-Guided (KG) training scheme. This scheme explicitly aligns local logit outputs with global topological structures, leveraging a robust auxiliary model to enhance the target model’s performance. To verify the effectiveness of the proposed method, we conduct extensive experiments on popular benchmark datasets ( e.g ., CIFAR and ImageNet) and evaluate the robustness against state-of-the-art adversarial attacks ( e.g ., PGD-attack and AutoAttack). The experimental results demonstrate that the proposed method has superior robustness over the previous state-of-the-art methods. Our code and pre-trained models are available at https://github.com/SkyKuang/TAAT.

Lina Wang,Xingshu Chen,Rui Tang,Yawei Yue,Yi Zhu,Xuemei Zeng,Wei Wang

DOI: https://doi.org/10.1016/j.knosys.2021.107141

IF: 8.139

2021-01-01

Knowledge-Based Systems

Abstract:The vulnerability of deep neural networks (DNNs) to adversarial attack, which is an attack that can mislead state-of-the-art classifiers into making an incorrect classification with high confidence by deliberately perturbing the original inputs, raises concerns about the robustness of DNNs to such attacks. Adversarial training, which is the main heuristic method for improving adversarial robustness and the first line of defense against adversarial attacks, requires many sample-by-sample calculations to increase training size and is usually insufficiently strong for an entire network. This paper provides a new perspective on the issue of adversarial robustness, one that shifts the focus from the network as a whole to the critical part of the region close to the decision boundary corresponding to a given class. From this perspective, we propose a method to generate a single but image-agnostic adversarial perturbation that carries the semantic information implying the directions to the fragile parts on the decision boundary and causes inputs to be misclassified as a specified target. We call the adversarial training based on such perturbations "region adversarial training" (RAT), which resembles classical adversarial training but is distinguished in that it reinforces the semantic information missing in the relevant regions. Experimental results on the MNIST and CIFAR-10 datasets show that this approach greatly improves adversarial robustness even when a very small dataset from the training data is used; moreover, it can defend against fast gradient sign method, universal perturbation, projected gradient descent, and Carlini and Wagner adversarial attacks, which have a completely different pattern from those encountered by the model during retraining. (C) 2021 Elsevier B.V. All rights reserved.

Yuru Su,Ge Zhang,Shaohui Mei,Jiawei Lian,Ye Wang,Shuai Wan

DOI: https://doi.org/10.1109/tgrs.2023.3328889

IF: 8.2

2023-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Despite deep neural networks (DNNs) have been widely applied in remote sensing (RS) scene classification and achieved satisfying performance, the vulnerability of DNNs toward adversarial examples significantly degrades their performance. Moreover, the relatively limited labeled samples of RS scene classification make DNNs more likely to overfit, leading to weak generalizability and noise sensitivity. This may result in DNNs being more vulnerable to adversarial examples. Consequently, the defense of adversarial examples is of crucial importance to improve both the generalizability and robustness of DNNs in the RS scene classification task. However, few studies have been conducted on defense for RS scene classification, especially ignoring the intrinsic characteristics of RS images. In this article, an effective defense framework for RS scene classification, named reconstruction-assisted and distance-optimized adversarial training (RDAT), is proposed to defend adversarial examples. To solve the problems caused by high interclass similarity, a distance-optimized (DO) strategy is designed for adversarial training (AT) to strengthen the learning of underfitting content, increase the interclass distance, and improve the robustness of the networks. Furthermore, to generate high-quality samples for AT, a reconstruction-assisted (RA) block is proposed to eliminate adversarial perturbations in adversarial examples. Specifically, in this block, by Swin Transformer (SwinT) block and multiscale convolution (MSC) block, SwinT-MSC-UNet (SMUNet) is constructed to fully extract global and multiscale local features to adapt to the characteristics of RS images with a large variance of ground object scales. Extensive experiments on the benchmark datasets, that is, UC Merced (UCM) and aerial image dataset (AID), have demonstrated that the proposed RDAT can effectively resist multiple adversarial attacks and yield superior results than other defense methods for RS scene classification.

Ziming Zhao,Zhaoxuan Li,Tingting Li,Jiongchi Yu,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3589335.3651524

2024-01-01

Abstract:Recent studies show that deep neural networks are extremely vulnerable, especially for adversarial examples of image classification models. However, the current defense technologies exhibit a series of limitations in terms of the adaptability of different attacks, the trade-off between clean-instance accuracy and robust one, as well as efficiency for train time overhead. To tackle these problems, we present a novel component, named redundant fully connected layer, which can be combined with existing model backbones in a pluggable manner. Specifically, we design a tailor-made loss function for it that leverages cosine similarity to maximize the difference and diversity of multiple fully connected parts. We conduct extensive experiments against 12 representative attacks (white-box and black-box), based on the popular dataset. The empirical evaluations show that our scheme realizes significant outcomes against various attacks with negligible additional training overhead, while hardly bringing collateral damage for clean-instance accuracy.

Adnan Siraj Rakin,Zhezhi He,Boqing Gong,Deliang Fan

2018-01-01

Abstract:Deep learning algorithms and networks are vulnerable to perturbed inputs which are known as the adversarial attack. Many defense methodologies have been investigated to defend such adversarial attack. In this work, we propose a novel methodology to defend the existing powerful attack model. Such attack models have achieved record success against MNIST dataset to force it to miss-classify all of its inputs. Whereas Our proposed defense method robust pre-processing achieves the best accuracy among the current state of the art defenses. It consists of Tanh (hyperbolic tangent) function, smoothing and batch normalization to process the input data which will make it more robust over the adversarial attack. robust pre-processing improves the white box attack accuracy of MNIST from 94.3% to 98.7%. Even with increasing defense when others defenses completely fail, robust pre-processing remains one of the strongest ever reported. Another strength of our defense is that it eliminates the need for adversarial training as it can significantly increase the MNIST accuracy without adversarial training as well. This makes it a more generalized defense method with almost half training overhead and much-improved accuracy. robust pre-processing can also increase the inference accuracy in the face of the powerful attack on CIFAR-10 and SVHN data set as well without much sacrificing clean data accuracy.

Xiaoyue Mi,Fan Tang,Yepeng Weng,Danding Wang,Juan Cao,Sheng Tang,Peng Li,Yang Liu

2024-08-19

Abstract:Despite the effectiveness in improving the robustness of neural networks, adversarial training has suffered from the natural accuracy degradation problem, i.e., accuracy on natural samples has reduced significantly. In this study, we reveal that natural accuracy degradation is highly related to the disruption of the natural sample topology in the representation space by quantitative and qualitative experiments. Based on this observation, we propose Topology-pReserving Adversarial traINing (TRAIN) to alleviate the problem by preserving the topology structure of natural samples from a standard model trained only on natural samples during adversarial training. As an additional regularization, our method can be combined with various popular adversarial training algorithms, taking advantage of both sides. Extensive experiments on CIFAR-10, CIFAR-100, and Tiny ImageNet show that our proposed method achieves consistent and significant improvements over various strong baselines in most cases. Specifically, without additional data, TRAIN achieves up to 8.86% improvement in natural accuracy and 6.33% improvement in robust accuracy.

Computer Vision and Pattern Recognition,Machine Learning

Lirong He,Qingzhong Ai,Yuqing Lei,Lili Pan,Yazhou Ren,Zenglin Xu

DOI: https://doi.org/10.1016/j.neucom.2022.10.059

IF: 6

2023-01-01

Neurocomputing

Abstract:Imperceptible adversarial examples are capable of deceiving the deep neural networks with high confidence. Recent studies show that it is particularly effective to control the attack space to low-frequency components of the image on the basis of adversarial training. However, those methods face the problem of losing valuable knowledge, especially shape information, which is vital for classification and robustness. To alleviate this issue, we propose a new method based on edge detection, named Edge Enhancement (EE), which can explicitly make up for the missing shape information in frequency constraints and further enhance the adversarial robustness. Specifically, we first employ a traditional edge detection algorithm called Canny to obtain shape information due to its simplicity and intrinsic robustness. Then, we augment the low-frequency space via obtained shape features, with the weighting operation carried on. This operation can be regarded as an emphasis on shape information, which could mitigate the texture bias of deep neural networks, thereby further serving the robustness. Finally, we feed the augmented features into the deep neural network. It is worth noting that these modules are optimized along with the deep neural network, which enables an end-to-end training fashion. Experimental results show that our proposed model can significantly improve adversarial robustness over the state-of-the-art methods on three benchmark datasets, including MNIST, Tiny ImageNet, and particularly ImageNet. For example, our method achieves 51.66% accuracy on ImageNet under 10-iteration targeted PGD white-box attack where the prior art has 36.94% accuracy. Code is available at https://github.com/Aiqz/Edge-Enhancement.

Qi Tian,Kun Kuang,Kelu Jiang,Fei Wu,Yisen Wang

DOI: https://doi.org/10.1145/3447548.3467403

2021-01-01

Abstract:Adversarial training is one of the most effective approaches to improve model robustness against adversarial examples. However, previous works mainly focus on the overall robustness of the model, and the in-depth analysis on the role of each class involved in adversarial training is still missing. In this paper, we propose to analyze the class-wise robustness in adversarial training. First, we provide a detailed diagnosis of adversarial training on six benchmark datasets, i.e., MNIST, CIFAR-10, CIFAR-100, SVHN, STL-10 and ImageNet. Surprisingly, we find that there are remarkable robustness discrepancies among classes, leading to unbalance/unfair class-wise robustness in the robust models. Furthermore, we keep investigating the relations between classes and find that the unbalanced class-wise robustness is pretty consistent among different attack and defense methods. Moreover, we observe that the stronger attack methods in adversarial learning achieve performance improvement mainly from a more successful attack on the vulnerable classes (i.e., classes with less robustness). Inspired by these interesting findings, we design a simple but effective attack method based on the traditional PGD attack, named Temperature-PGD attack, which proposes to enlarge the robustness disparity among classes with a temperature factor on the confidence distribution of each image. Experiments demonstrate our method can achieve a higher attack rate than the PGD attack. Furthermore, from the defense perspective, we also make some modifications in the training and inference phase to improve the robustness of the most vulnerable class, so as to mitigate the large difference in class-wise robustness. We believe our work can contribute to a more comprehensive understanding of adversarial training as well as rethinking the class-wise properties in robust models.

Xuanming Fu,Zhengfeng Yang,Hao Xue,Jianlin Wang,Zhenbing Zeng

DOI: https://doi.org/10.1109/icpr56361.2022.9956608

2022-01-01

Abstract:Adversarial training is an efficacious defense approach to protect classification model against adversarial attacks. In this paper, we reveal that a significant difference exists between the feature map of the original sample and that of its corresponding adversarial version. Based on this main insight, we propose a novel robust training on feature-based adversarial examples approach called FPAT, where training examples are generated by maximizing the loss function between the clean and the adversarial feature maps. We show via extensive experiments on MNIST, SVHN and CIFAR-10, that our proposed method is as effective as the state-of-the-art robust training methods. Especially, when the adversarial perturbation is of a large radius or the number of adversarial steps of training samples is small, FPAT achieves leading robustness.

Pang, Tianyu,Du, Chao,Dong, Yinpeng,Zhu, Jun

DOI: https://doi.org/10.48550/arxiv.1706.00633

2018-01-01

Abstract:Although the recent progress is substantial, deep learning methods can be vulnerable to the maliciously generated adversarial examples. In this paper, we present a novel training procedure and a thresholding test strategy, towards robust detection of adversarial examples. In training, we propose to minimize the reverse cross-entropy (RCE), which encourages a deep network to learn latent representations that better distinguish adversarial examples from normal ones. In testing, we propose to use a thresholding strategy as the detector to filter out adversarial examples for reliable predictions. Our method is simple to implement using standard algorithms, with little extra training cost compared to the common cross-entropy minimization We apply our method to defend various attacking methods on the widely used MNIST and CIFAR-10 datasets, and achieve significant improvements on robust predictions under all the threat models in the adversarial setting.

Yisen Wang,Difan Zou,Jinfeng Yi,James Bailey,Xingjun Ma,Quanquan Gu

2020-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples crafted by imperceptible perturbations. A range of defense techniques have been proposed to improve DNN robustness to adversarial examples, among which adversarial training has been demonstrated to be the most effective. Adversarial training is often formulated as a min-max optimization problem, with the inner maximization for generating adversarial examples. However, there exists a simple, yet easily overlooked fact that adversarial examples are only defined on correctly classified (natural) examples, but inevitably, some (natural) examples will be misclassified during training. In this paper, we investigate the distinctive influence of misclassified and correctly classified examples on the final robustness of adversarial training. Specifically, we find that misclassified examples indeed have a significant impact on the final robustness. More surprisingly, we find that different maximization techniques on misclassified examples may have a negligible influence on the final robustness, while different minimization techniques are crucial. Motivated by the above discovery, we propose a new defense algorithm called {\em Misclassification Aware adveRsarial Training} (MART), which explicitly differentiates the misclassified and correctly classified examples during the training. We also propose a semi-supervised extension of MART, which can leverage the unlabeled data to further improve the robustness. Experimental results show that MART and its variant could significantly improve the state-of-the-art adversarial robustness.

Feng Guo,Qingjie Zhao,Xuan Li,Xiaohui Kuang,Jianwei Zhang,Yahong Han,Yu-an Tan

DOI: https://doi.org/10.1016/j.ins.2019.05.084

IF: 8.1

2019-01-01

Information Sciences

Abstract:Deep neural networks (DNNs) perform effectively in many computer vision tasks. However, DNNs are found to be vulnerable to adversarial examples which are generated by adding imperceptible perturbations to original images. To address this problem, we propose a novel defense method, transferability prediction difference (TPD), to drastically improve the adversarial robustness of DNNs with small sacrificing verified accuracy. We find out that the adversarial examples have lager prediction difference for various DNN models due to their various complicated decision boundaries, which can be used to identify the adversarial examples by converging decision boundaries to a prediction difference threshold. We adopt the K-means clustering algorithm on benign data to determine transferability prediction difference threshold, by which we can detect adversarial examples accurately and efficiently. Furthermore, TPD method neither modifies the target model nor needs to take knowledge of adversarial attacks. We perform four state-of-the-art adversarial attacks (FGSM, BIM, JSMA and C&W) to evaluate TPD models trained on MNIST and CIFAR-10 and the average detection accuracy is 96.74% and 86.61%. The results show that TPD model has high detection ratio on the demonstrably advanced white-box adversarial examples while keeping low false positive rate on benign examples.

Daizong Ding,Erling Jiang,Yuanmin Huang,Mi Zhang,Wenxuan Li,Min Yang

DOI: https://doi.org/10.1109/cvpr52729.2023.01180

2023-01-01

Abstract:Recently, deep neural networks have shown great success on 3D point cloud classification tasks, which simultaneously raises the concern of adversarial attacks that cause severe damage to real-world applications. Moreover, defending against adversarial examples in point cloud data is extremely difficult due to the emergence of various attack strategies. In this work, with the insight of the fact that the adversarial examples in this task still preserve the same semantic and structural information as the original input, we design a novel defense framework for improving the robustness of existing classification models, which consists of two main modules: the attention-based pooling and the dynamic contrastive learning. In addition, we also develop an algorithm to theoretically certify the robustness of the proposed framework. Extensive empirical results on two datasets and three classification models show the robustness of our approach against various attacks, e.g., the averaged attack success rate of PointNet decreases from 70.2% to 2.7% on the ModelNet40 dataset under 9 common attacks.

Xingbin Liu,Huafeng Kuang,Hong Liu,Xianming Lin,Yongjian Wu,Rongrong Ji

2023-01-01

Abstract:Deep neural networks have been applied in many computer vision tasks and achieved state-of-the-art performance. However, misclassification will occur when DNN predicts adversarial examples which add human-imperceptible adversarial noise to natural examples. This limits the application of DNN in security-critical fields. To alleviate this problem, we first conducted an empirical analysis of the latent features of both adversarial and natural examples and found the similarity matrix of natural examples is more compact than those of adversarial examples. Motivated by this observation, we propose Latent Feature Relation Consistency (LFRC), which constrains the relation of adversarial examples in latent space to be consistent with the natural examples. Importantly, our LFRC is orthogonal to the previous method and can be easily combined with them to achieve further improvement. To demonstrate the effectiveness of LFRC, we conduct extensive experiments using different neural networks on benchmark datasets. For instance, LFRC can bring 0.78% further improvement compared to AT, and 1.09% improvement compared to TRADES, against AutoAttack on CIFAR10. Code is available at https://github.com/liuxingbin/LFRC.

Yating Ma,Ruiqi Zha,Zhichao Lian

DOI: https://doi.org/10.1109/smartworld-uic-atc-scalcom-digitaltwin-pricomp-metaverse56740.2022.00028

2022-01-01

Abstract:Perception algorithms are commonly used in ubiquitous computing. Deep neural networks have achieved significant performance in computer vision field, yet were found that exist vulnerabilities which was misclassified by adversarial examples. This issue has attracted great attention to explore methods to defend against adversarial examples. Detecting adversarial examples is a basic work for improving robustness of models. However, how to exploit an efficient feature to distinguish clean examples and adversarial ones is a challenging problem. In this paper, we investigate the adversarial examples from frequency domain and propose a framework to detect and classify adversarial attacks combing with attention mechanism. We first demonstrate that adversarial perturbations are more perceptible in the frequency domain and exploit this to achieve significant detection results. Then, combined with the advantages of the attention mechanism, an integrate network is proposed to achieve a more refined classification of attack methods. Based on the structure of ResNetl8, our results achieve optimal detection rate and high classification rate of 73% among FGSM, PGD-$\ell_{2}$, PGD$-\ell_{\infty}$, Deepfool and MI-FGSM.

Binghui Li,Yuanzhi Li

2024-10-11

Abstract:Adversarial training is a widely-applied approach to training deep neural networks to be robust against adversarial perturbation. However, although adversarial training has achieved empirical success in practice, it still remains unclear why adversarial examples exist and how adversarial training methods improve model robustness. In this paper, we provide a theoretical understanding of adversarial examples and adversarial training algorithms from the perspective of feature learning theory. Specifically, we focus on a multiple classification setting, where the structured data can be composed of two types of features: the robust features, which are resistant to perturbation but sparse, and the non-robust features, which are susceptible to perturbation but dense. We train a two-layer smoothed ReLU convolutional neural network to learn our structured data. First, we prove that by using standard training (gradient descent over the empirical risk), the network learner primarily learns the non-robust feature rather than the robust feature, which thereby leads to the adversarial examples that are generated by perturbations aligned with negative non-robust feature directions. Then, we consider the gradient-based adversarial training algorithm, which runs gradient ascent to find adversarial examples and runs gradient descent over the empirical risk at adversarial examples to update models. We show that the adversarial training method can provably strengthen the robust feature learning and suppress the non-robust feature learning to improve the network robustness. Finally, we also empirically validate our theoretical findings with experiments on real-image datasets, including MNIST, CIFAR10 and SVHN.

Machine Learning

Shuai Zhao,Shibin Liu,Boyuan Zhang,Yang Zhai,Ziyi Liu,Yahong Han

DOI: https://doi.org/10.1109/icme57554.2024.10688077

2024-01-01

Abstract:The adversarial examples have demonstrated the vulnerability of machine learning models. While the data augmentation strategy has been a cornerstone in circumventing overfitting within the realm of standard training paradigms, the prior research has proved the limited efficiency of data augmentation in ameliorating overfitting concerns, specifically within the scope of adversarial training. In this work, we have shown that a data augmentation strategy could enhance the generalization of adversarial training. Our framework, Adversarial Denoising-based Training(ADT), first utilizes the adversarial denoising strategy to improve the generalization of adversarial training. Specifically, we use patch-wise adversarial denoising as a data augmentation strategy to boost the robustness of adversarial training. We have evaluated our method on the MNIST, CIFAR-10, Tiny-ImageNet, and GTSRB datasets. The result shows that our framework could successfully improve the adversarial robustness of models against both digital and physical adversarial examples.

BADER RASHEED, ADIL KHAN

DOI: https://doi.org/10.52783/rlj.v11i9s.1644

2023-04-07

Russian Law Journal

Abstract:Deep learning models have been found to be susceptible to adversarial attacks, which limits their use in security-sensitive applications. One way to enhance the resilience of these models is through adversarial training, which involves training them with intentionally crafted adversarial examples. This study introduces the idea of clustering-based adversarial training technique, with preliminary results and motivations. In this approach, rather than using adversarial instances directly, they are first grouped using various clustering algorithms and criteria, creating a new structured space for model training. The method's performance is evaluated on the MNIST dataset against different adversarial attacks, such as FGSM and PGD, with an examination of the accuracy-robustness trade-off. The results show that cluster-based adversarial training could be used as a data augmentation method to enhance the generalization in both clean and adversarial domains.