Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.36227/techrxiv.19609623.v1

2022-01-01

Abstract:Adversarial attack is to craft tiny perturbations on inputs, causing neural networks to give incorrect outputs with high confidence, while adversarial training is the de facto most successful method to obtain robust neural networks. Nevertheless, adversarial training suffers from robust overfitting: the increasing robustness gap between train and test datasets. This paper aims at reducing this robust overfitting (i.e., improving adversarially robust generalization / generalized adversarial robustness). Firstly, we study the robust bias-variance trade-off and find that the robust overfitting even happens on the simple dataset (100MNIST), which is considered free from that in previous research. Next, based on 100MNIST and Gaussian data, the correlation between feature augmentation and robust overfitting is analyzed on a theoretical basis. A novel insight is obtained: the augmentation on robust features can improve generalized adversarial robustness, through alleviating the over-optimization on non-robust features. Then, we propose a regularization term, Feature Alignment (FA), to guide synthesized sample directions. Adversarial FA aided Generative Adversarial Network, AFAGAN, generates samples aligning robust features, which can train more adversarially robust generalized models. Experiments on CIFAR10 show that augmented data of AFAGAN significantly improves the generalized adversarial robustness.

Jing Li,Zigan Wang,Jinliang Li

DOI: https://doi.org/10.1109/cvprw63382.2024.00352

2024-01-01

Computer Vision and Pattern Recognition

Abstract:Adversarial patch attacks, which can mislead deep learning models and the human eye in both the digital and physical domains, have led to a trust crisis. Traditional approaches to generating powerful attack patches require extensive, multi-scenario data, but suffer from slow search speeds in adversarial gradient space, resulting in low global attack success rates and high costs. Especially high resource-consuming attack methods are not sufficient to pose sufficient threats, which leads to the vulnerability of defense. To address these challenges, we present a novel framework AdvDenoise to generate universal adversarial patches fast and robustly using denoise. Concretely, we leverage the power of denoising diffusion probabilistic models to craft or optimize these patches, deviating from traditional pure gradient-based methods. We conduct comprehensive experiments on both pre-trained convolutional neural networks and vision transformer detectors, evaluating our method on standard benchmarks as well as in simulated real-world physical settings. The results demonstrate that our framework outperforms strong baselines, achieving higher attack success rates, better transferability across models, and improved robustness to transformations while maintaining visual realism and computational efficiency. When our method’s performance approaches the state-of-the-art, the total time required to generate 100-shots adversarial patches is substantially lower than the state-of-the-art methods, with a remarkable 48.15% reduction in time complexity. The code and examples are publicly available at https://github.com/advdenoise/advdenoise.

Chai Xiuli,Wei Tongtong,Chen Zhen,He Xin,Gan Zhihua,Wu Xiangjun

DOI: https://doi.org/10.1007/s10489-022-03847-z

IF: 5.3

2022-01-01

Applied Intelligence

Abstract:Deep neural networks (DNNs) are prone to produce incorrect prediction results under the attack of adversarial samples. To cope with this problem, some defense methods are presented. However, most of them are based on adversarial training, which has great computational consumption and does not start from strengthening the architecture of the network model itself to resist the adversarial attack. Recent studies have shown that feature denoising can remove the adversarial perturbations in the adversarial samples. In this paper, we propose a lightweight denoising network with residual connection (LDN-RC), on which the internal denoising block and the intermediate denoising block are introduced for feature denoising and sample denoising, respectively; the two denoising blocks are combined in the network model, which can withstand the interference of the adversarial perturbations in the adversarial samples to a large extent and also save computational resources. In the training strategy, a two-stage denoising approach and fine-tuning are presented to train the RESNET network model on MNIST, CIFAR-10, and SVHN datasets, and the accuracy of the enhanced network model exceeds 60% on all three datasets under the $${L}_{\infty }$$ -PGD white-box attack, which demonstrate that LDN-RC can effectively improve the adversarial robustness of the network model.

Cihang Xie,Yuxin Wu,Laurens van der Maaten,Alan Yuille,Kaiming He

2019-03-26

Abstract:Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9% accuracy, our method achieves 55.7%; even under extreme 2000-iteration PGD white-box attacks, our method secures 42.6% accuracy. Our method was ranked first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 --- it achieved 50.6% classification accuracy on a secret, ImageNet-like test dataset against 48 unknown attackers, surpassing the runner-up approach by ~10%. Code is available at <a class="link-external link-https" href="https://github.com/facebookresearch/ImageNet-Adversarial-Training" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Lu, Fang,Wang, Bin,Zhou, Boyang

DOI: https://doi.org/10.1007/s10489-023-05253-5

IF: 5.3

2024-01-14

Applied Intelligence

Abstract:Recent studies have shown that deep neural networks (DNNs) are vulnerable to adversarial examples (AEs). Denoising based on the input pre-processing is one of the defenses against adversarial attacks. However, it is hard to remove multiple adversarial perturbations, especially in the presence of evolving attacks. To address this challenge, we attempt to extract the commonality of adversarial perturbations. Due to the imperceptibility of adversarial perturbations in the input space, we conduct the extraction in the deep feature space where the perturbations become more apparent. Through the obtained common characteristics, we craft common adversarial examples (CAEs) to train the denoiser. Furthermore, to prevent image distortion while removing as much of the adversarial perturbation as possible, we propose a hybrid loss function that guides the training process at both the pixel level and the deep feature space. Our experiments show that our defense method can eliminate multiple adversarial perturbations, significantly enhancing adversarial robustness compared to previous state-of-the-art methods. Moreover, it can be plug-and-play for various classification models, which demonstrates the generalizability of our defense method.

computer science, artificial intelligence

Jie Ning,Jiebao Sun,Shengzhu Shi,Zhichang Guo,Yao Li,Hongwei Li,Boying Wu

2024-12-08

Abstract:Deep learning-based image denoising models demonstrate remarkable performance, but their lack of robustness analysis remains a significant concern. A major issue is that these models are susceptible to adversarial attacks, where small, carefully crafted perturbations to input data can cause them to fail. Surprisingly, perturbations specifically crafted for one model can easily transfer across various models, including CNNs, Transformers, unfolding models, and plug-and-play models, leading to failures in those models as well. Such high adversarial transferability is not observed in classification models. We analyze the possible underlying reasons behind the high adversarial transferability through a series of hypotheses and validation experiments. By characterizing the manifolds of Gaussian noise and adversarial perturbations using the concept of typical set and the asymptotic equipartition property, we prove that adversarial samples deviate slightly from the typical set of the original input distribution, causing the models to fail. Based on these insights, we propose a novel adversarial defense method: the Out-of-Distribution Typical Set Sampling Training strategy (TS). TS not only significantly enhances the model's robustness but also marginally improves denoising performance compared to the original model.

Computer Vision and Pattern Recognition

Gwonsang Ryu,Daeseon Choi

DOI: https://doi.org/10.1007/s10489-022-03991-6

IF: 5.3

2022-08-06

Applied Intelligence

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial attacks that generate adversarial examples by adding small perturbations to the clean images. To combat adversarial attacks, the two main defense methods used are denoising and adversarial training. However, both methods result in the DNN having lower classification accuracy for clean images than conventionally trained DNN models. To overcome this problem, we propose a hybrid adversarial training (HAT) method that trains the denoising network and DNN model simultaneously. The proposed HAT method uses both clean images and adversarial examples denoised by the denoising network and non-denoised clean images and adversarial examples to train the DNN model. The results of experiments conducted on the MNIST, CIFAR-10, CIFAR-100, and GTSRB datasets show that the HAT method results in a higher classification accuracy than both conventional training with a denoising network and previous adversarial training methods. They also indicate that training with the HAT method results in average improvements in robustness of 0.84%, 27.33%, 28.99%, and 17.61% against adversarial attacks compared with several state-of-the-art adversarial training methods on the MNIST, CIFAR-10, CIFAR-100, and GTSRB datasets, respectively. Thus, the proposed HAT method results in improved robustness for DNNs against a wider range of adversarial attacks.

computer science, artificial intelligence

Zhonghan Niu,Zhaoxi Chen,Linyi Li,Yubin Yang,Bo Li,Jinfeng Yi

DOI: https://doi.org/10.48550/arXiv.2012.09384

IF: 5.414

2020-12-17

Machine Learning

Abstract:As adversarial attacks against machine learning models have raised increasing concerns, many denoising-based defense approaches have been proposed. In this paper, we summarize and analyze the defense strategies in the form of symmetric transformation via data denoising and reconstruction (denoted as $F+$ inverse $F$, $F-IF$ Framework). In particular, we categorize these denoising strategies from three aspects (i.e. denoising in the spatial domain, frequency domain, and latent space, respectively). Typically, defense is performed on the entire adversarial example, both image and perturbation are modified, making it difficult to tell how it defends against the perturbations. To evaluate the robustness of these denoising strategies intuitively, we directly apply them to defend against adversarial noise itself (assuming we have obtained all of it), which saving us from sacrificing benign accuracy. Surprisingly, our experimental results show that even if most of the perturbations in each dimension is eliminated, it is still difficult to obtain satisfactory robustness. Based on the above findings and analyses, we propose the adaptive compression strategy for different frequency bands in the feature domain to improve the robustness. Our experiment results show that the adaptive compression strategies enable the model to better suppress adversarial perturbations, and improve robustness compared with existing denoising strategies.

Timothy Mann,D. A. Calian,Florian Stimberg,Sylvestre-Alvise Rebuffi,Sven Gowal,Olivia Wiles

2021-11-09

Abstract:Adversarial training suffers from robust overfitting, a phenomenon where the robust test accuracy starts to decrease during training. In this paper, we focus on reducing robust overfitting by using common data augmentation schemes. We demonstrate that, contrary to previous findings, when combined with model weight averaging, data augmentation can significantly boost robust accuracy. Furthermore, we compare various augmentations techniques and observe that spatial composition techniques work the best for adversarial training. Finally, we evaluate our approach on CIFAR-10 against $\ell_\infty$ and $\ell_2$ norm-bounded perturbations of size $\epsilon = 8/255$ and $\epsilon = 128/255$, respectively. We show large absolute improvements of +2.93% and +2.16% in robust accuracy compared to previous state-of-the-art methods. In particular, against $\ell_\infty$ norm-bounded perturbations of size $\epsilon = 8/255$, our model reaches 60.07% robust accuracy without using any external data. We also achieve a significant performance boost with this approach while using other architectures and datasets such as CIFAR-100, SVHN and TinyImageNet.

Mathematics,Computer Science

Chen,Jingfeng Zhang,Xilie Xu,Lingjuan Lyu,Chaochao Chen,Tianlei Hu,Gang Chen

DOI: https://doi.org/10.1109/tdsc.2022.3165889

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Adversarial training (AT) is a typical method to learn adversarially robust deep neural networks via training on the adversarial variants generated by their natural examples. However, as training progresses, the training data becomes less attackable, which may undermine the enhancement of model robustness. A straightforward remedy is to incorporate more training data, but it may incur an unaffordable cost. To mitigate this issue, in this paper, we propose a deCisiOn bounDary-aware data Augmentation framework (CODA): in each epoch, the CODA directly employs the meta information of the previous epoch to guide the augmentation process and generate more data that are close to the decision boundary, i.e., attackable data. Compared with the vanilla mixup, our proposed CODA can provide a higher ratio of attackable data, which is beneficial to enhance model robustness; it meanwhile mitigates the model's linear behavior between classes, where the linear behavior is favorable to the standard training for generalization but not to the adversarial training for robustness. As a result, our proposed CODA encourages the model to predict invariantly in the cluster of each class. Experiments demonstrate that our proposed CODA can indeed enhance adversarial robustness across various adversarial training methods and multiple datasets.

Yulong Wang,Tong Sun,Xin Yuan,Shenghong Li,Wei Ni

DOI: https://doi.org/10.1109/tifs.2024.3474973

IF: 7.231

2024-10-22

IEEE Transactions on Information Forensics and Security

Abstract:Training deep neural networks (DNNs) with altered data, known as adversarial training, is essential for improving their robustness. A significant challenge emerges as the robustness strengthened during training often diminishes during inference, resulting in drops in robust pronounced accuracy. Contemporary strategies either necessitate excessively large training data or risk compromising the natural accuracy of non-adversarial images. Our analysis identifies that the inherent vulnerability of DNNs to adversarial attacks stems from certain input space segments that are inadequately populated by training data, leading to decision-making voids with incorrect predictions. The minimum number of training samples required for successful adversarial training can be attained by maximizing the representativeness of the samples. In light of this, we put forth an advanced training data augmentation method anchored on a Generative Adversarial Network. The generated samples are evaluated by the image classifier during training and selected based on their confidence scores. Evaluations on public datasets, such as Tiny-ImageNet, MS COCO, and CIFAR-100, using various deep neural networks (DNNs), including Vision Transformer, MobileNet, and WideResNet, under recent attacks like DifAttack, SQBA, and AutoAttack, confirm that our method significantly enhances the adversarial robustness of DNN image classifiers. Our method outperforms state-of-the-art adversarial training methods by 35.66% on Tiny-ImageNet, 13.53% on MS COCO, and 13.06% on CIFAR-100.

computer science, theory & methods,engineering, electrical & electronic

Lin Li,Michael Spratling

2023-03-27

Abstract:Deep neural networks can be easily fooled into making incorrect predictions through corruption of the input by adversarial perturbations: human-imperceptible artificial noise. So far adversarial training has been the most successful defense against such adversarial attacks. This work focuses on improving adversarial training to boost adversarial robustness. We first analyze, from an instance-wise perspective, how adversarial vulnerability evolves during adversarial training. We find that during training an overall reduction of adversarial loss is achieved by sacrificing a considerable proportion of training samples to be more vulnerable to adversarial attack, which results in an uneven distribution of adversarial vulnerability among data. Such "uneven vulnerability", is prevalent across several popular robust training methods and, more importantly, relates to overfitting in adversarial training. Motivated by this observation, we propose a new adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). It jointly smooths both input and weight loss landscapes in an adaptive, instance-specific, way to enhance robustness more for those samples with higher adversarial vulnerability. Extensive experiments demonstrate the superiority of our method over existing defense methods. Noticeably, our method, when combined with the latest data augmentation and semi-supervised learning techniques, achieves state-of-the-art robustness against $\ell_{\infty}$-norm constrained attacks on CIFAR10 of 59.32% for Wide ResNet34-10 without extra data, and 61.55% for Wide ResNet28-10 with extra data. Code is available at <a class="link-external link-https" href="https://github.com/TreeLLi/Instance-adaptive-Smoothness-Enhanced-AT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Ameer Mohammed,Ziad Ali,Imtiaz Ahmad

DOI: https://doi.org/10.1016/j.eswa.2023.123085

IF: 8.5

2024-01-07

Expert Systems with Applications

Abstract:Adversarial training, coupled with loss regularization techniques (such as MART and TRADES), is the current most effective method for consistently achieving adversarial robustness on various known datasets. However, without extra training data, the robustness gains of adversarial training are limited. To overcome this limitation, several alternative defenses were proposed as potential extensions to adversarial training, the most notable being the recent denoising diffusion models to generate additional training data. In this work, we propose a different candidate defense that combines both adversarial retraining and input transformation techniques, but instead, applies the transformations between the architecture layers without the need for extra training data. Namely, our interlayer processing technique introduces bit-depth reduction, originally an input pre-processing technique, between the layers of the model to reduce the space for an adversary to exploit. Together with adversarial training and randomization in the forward pass, interlayer processing leads to higher robustness gains. Our experiments show that our defense improves over standard loss regularization techniques by 1.56% and 7.92% for the ResNet-18 model on the CIFAR-10 and SVHN datasets, respectively. Additional experiments on ResNet-34 architecture led to improvements of 1.96% and 10.42% on CIFAR-100 and SVHN, respectively.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xiangning Chen,Cihang Xie,Mingxing Tan,Li Zhang,Cho-Jui Hsieh,Boqing Gong

DOI: https://doi.org/10.1109/cvpr46437.2021.01635

2021-06-01

Abstract:Data augmentation has become a de facto component for training high-performance deep image classifiers, but its potential is under-explored for object detection. Noting that most state-of-the-art object detectors benefit from fine-tuning a pre-trained classifier, we first study how the classifiers’ gains from various data augmentations transfer to object detection. The results are discouraging; the gains diminish after fine-tuning in terms of either accuracy or robustness. This work instead augments the fine-tuning stage for object detectors by exploring adversarial examples, which can be viewed as a model-dependent data augmentation. Our method dynamically selects the stronger adversarial images sourced from a detector’s classification and localization branches and evolves with the detector to ensure the augmentation policy stays current and relevant. This model-dependent augmentation generalizes to different object detectors better than AutoAugment, a model-agnostic augmentation policy searched based on one particular detector. Our approach boosts the performance of state-of-the-art EfficientDets by +1.1 mAP on the COCO object detection benchmark. It also improves the detectors’ robustness against natural distortions by +3.8 mAP and against domain shift by +1.3 mAP.

Anouar Kherchouche,Sid Ahmed Fezza,Wassim Hamidouche

DOI: https://doi.org/10.1007/s00521-021-06330-x

2021-07-21

Neural Computing and Applications

Abstract:Despite the enormous performance of deep neural networks (DNNs), recent studies have shown their vulnerability to adversarial examples (AEs), i.e., carefully perturbed inputs designed to fool the targeted DNN. Currently, the literature is rich with many effective attacks to craft such AEs. Meanwhile, many defense strategies have been developed to mitigate this vulnerability. However, these latter showed their effectiveness against specific attacks and does not generalize well to different attacks. In this paper, we propose a framework for defending DNN classifier against adversarial samples. The proposed method is based on a two-stage framework involving a separate detector and a denoising block. The detector aims to detect AEs by characterizing them through the use of natural scene statistic (NSS), where we demonstrate that these statistical features are altered by the presence of adversarial perturbations. The denoiser is based on block matching 3D (BM3D) filter fed by an optimum threshold value estimated by a convolutional neural network (CNN) to project back the samples detected as AEs into their data manifold. We conducted a complete evaluation on three standard datasets, namely MNIST, CIFAR-10 and Tiny-ImageNet. The experimental results show that the proposed defense method outperforms the state-of-the-art defense techniques by improving the robustness against a set of attacks under black-box, gray-box and white-box settings. The source code is available at: https://github.com/kherchouche-anouar/2DAE.

computer science, artificial intelligence

Aishan Liu,Xianglong Liu,Hang Yu,Chongzhi Zhang,Qiang Liu,Dacheng Tao

DOI: https://doi.org/10.1109/tip.2021.3082317

IF: 10.6

2021-01-01

IEEE Transactions on Image Processing

Abstract:In practice, deep neural networks have been found to be vulnerable to various types of noise, such as adversarial examples and corruption. Various adversarial defense methods have accordingly been developed to improve adversarial robustness for deep models. However, simply training on data mixed with adversarial examples, most of these models still fail to defend against the generalized types of noise. Motivated by the fact that hidden layers play a highly important role in maintaining a robust model, this paper proposes a simple yet powerful training algorithm, named Adversarial Noise Propagation (ANP), which injects noise into the hidden layers in a layer-wise manner. ANP can be implemented efficiently by exploiting the nature of the backward-forward training style. Through thorough investigations, we determine that different hidden layers make different contributions to model robustness and clean accuracy, while shallow layers are comparatively more critical than deep layers. Moreover, our framework can be easily combined with other adversarial training methods to further improve model robustness by exploiting the potential of hidden layers. Extensive experiments on MNIST, CIFAR-10, CIFAR-10-C, CIFAR-10-P, and ImageNet demonstrate that ANP enables the strong robustness for deep models against both adversarial and corrupted ones, and also significantly outperforms various adversarial defense methods.

computer science, artificial intelligence,engineering, electrical & electronic

Suorong Yang,Jinqiao Li,Tianyue Zhang,Jian Zhao,Furao Shen

DOI: https://doi.org/10.1016/j.patcog.2023.109847

IF: 8

2023-01-01

Pattern Recognition

Abstract:Data augmentation has been an essential technique for improving the generalization ability of deep neural networks in image classification tasks. However, intensive changes in appearance and different degrees of occlusion in images are the key factors that severely affect the generalization ability of image classification models. Therefore, in order to enhance the generalization performance and robustness of deep models, data augmentation approaches by providing models with more diverse training data in various scenarios are widely applied. Although many existing data augmentation methods simulate occlusion in the augmented images to enhance the generalization of models, these methods randomly delete some areas in images without considering the semantic information of images. In this work, we propose a novel data augmentation method named AdvMask for image classification based on sparse adversarial attack techniques. AdvMask first identifies the key points that have the greatest influence on the classification results via a proposed end-to-end sparse adversarial attack module. During the data augmentation process, AdvMask efficiently generates diverse augmented data with structured occlusions based on the key points. By doing so, AdvMask can force deep models to seek other relevant content while the most discriminative content is hidden. Extensive experimental results on various benchmark datasets and deep models demonstrate that our proposed method can effectively improve the generalization performance of deep models and significantly outperforms previous data augmentation methods. Code for reproducing our results is available at https://github.com/Jackbrocp/AdvMask.

Sima Behpour,Kris M. Kitani,Brian D. Ziebart

DOI: https://doi.org/10.1109/wacv.2019.00137

2019-01-01

Abstract:The use of random perturbations of ground truth data, such as random translation or scaling of bounding boxes, is a common heuristic used for data augmentation that has been shown to prevent overfitting and improve generalization. Since the design of data augmentation is largely guided by reported best practices, it is difficult to understand if those design choices are optimal. To provide a more principled perspective, we develop a game-theoretic interpretation of data augmentation in the context of object detection. We aim to find an optimal adversarial perturbations of the ground truth data (i.e., the worst case perturbations) that forces the object bounding box predictor to learn from the hardest distribution of perturbed examples for better test-time performance. We establish that the game-theoretic solution (Nash equilibrium) provides both an optimal predictor and optimal data augmentation distribution. We show that our adversarial method of training a predictor can significantly improve test-time performance for the task of object detection. On the ImageNet, Pascal VOC and MS-COCO object detection tasks, our adversarial approach improves performance by about 16%, 5%, and 2% respectively compared to the best performing data augmentation methods.

Han Zhang,Xin Zhang,Yuan Sun,Lixia Ji

DOI: https://doi.org/10.1016/j.imavis.2024.105238

IF: 3.86

2024-08-26

Image and Vision Computing

Abstract:Deep learning models are highly vulnerable to adversarial examples, leading to significant attention on techniques for detecting them. However, current methods primarily rely on detecting image features for identifying adversarial examples, often failing to address the diverse types and intensities of such examples. We propose a novel adversarial example detection method based on perturbation estimation and denoising to overcome this limitation. We develop an autoencoder to predict the latent adversarial perturbations of samples and select appropriately sized noise based on these predictions to cover the perturbations. Subsequently, we employ a non-blind denoising autoencoder to remove noise and residual perturbations effectively. This approach allows us to eliminate adversarial perturbations while preserving the original information, thus altering the prediction results of adversarial examples without affecting predictions on benign samples. Inconsistencies in predictions before and after processing by the model identify adversarial examples. Our experiments on datasets such as MNIST, CIFAR-10, and ImageNet demonstrate that our method surpasses other advanced detection methods in accuracy.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics