research-article

DIPDefend: Deep Image Prior Driven Defense against Adversarial Examples

Authors:

Shu-Tao XiaAuthors Info & Claims

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

Pages 1404 - 1412

https://doi.org/10.1145/3394171.3413898

Published: 12 October 2020 Publication History

Abstract

Deep neural networks (DNNs) have shown serious vulnerability to adversarial examples with imperceptible perturbation to clean images. Most existing input-transformation based defense methods (e.g., ComDefend) rely heavily on the learned external priors from an external large training dataset, while neglecting the rich image internal priors of the input itself, thus limiting the generalization of the defense models against the adversarial examples with biased image statistics from the external training dataset. Motivated by deep image prior that can capture rich image statistics from a single image, we propose an effective Deep Image Prior Driven Defense (DIPDefend) method against adversarial examples. With a DIP generator to fit the target/adversarial input, we find that our image reconstruction exhibits quite interesting learning preference from a feature learning perspectives, i.e., the early stage primarily learns the robust features resistant to adversarial perturbation, followed by learning non-robust features that are sensitive to adversarial perturbation. Besides, we develop an adaptive stopping strategy that adapts our method to diverse images. In this way, the proposed model obtains a unique defender for each individual adversarial input, thus being robust to various attackers. Experimental results demonstrate the superiority of our method over the state-of-the-art defense methods against white-box and black-box adversarial attacks.

Supplementary Material

MP4 File (3394171.3413898.mp4)

Presentation Video.

Download
11.32 MB

References

[1]

Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In ICML.

[2]

Yang Bai, Yan Feng, Wang Yisen, Tao Dai, Shu-Tao Xia, and Yong Jiang. 2019. Hilbert-Based Generative Defense for Adversarial Examples. In ICCV.

[3]

Mariusz Bojarski, Davide Del Testa, Daniel Dworakowski, Bernhard Firner, Beat Flepp, Prasoon Goyal, Lawrence D Jackel, Mathew Monfort, Urs Muller, Jiakai Zhang, et al. 2016. End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316 (2016).

[4]

Wagner D Carlini N. 2017. Towards Evaluating the Robustness of Neural Networks. In Security and Privacy.

[5]

Tao Dai, Jianrui Cai, Yongbing Zhang, Shu-Tao Xia, and Lei Zhang. 2019. Second-order Attention Network for Single Image Super-Resolution. In CVPR.

[6]

Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In CVPR.

[7]

Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. 2019. Evading Defenses to Transferable Adversarial Examples by Translation-Invariant Attacks. In CVPR.

[8]

Logan Engstrom, Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Brandon Tran, and Aleksander Madry. 2019. Learning Perceptually-Aligned Representations via Adversarial Robustness. arXiv preprint arXiv:1906.00945 (2019).

[9]

Yossi Gandelsman, Assaf Shocher, and Michal Irani. 2019. " Double-DIP": Unsupervised Image Decomposition via Coupled Deep-Image-Priors. CVPR (2019).

[10]

Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In ICLR.

[11]

Paul Goodwin et al. 2010. The holt-winters approach to exponential smoothing: 50 years old and going strong. Foresight (2010).

[12]

Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens van der Maaten. 2018. Countering adversarial images using input transformations. In ICLR.

[13]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Identity mappings in deep residual networks. In ECCV. Springer.

[14]

Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. 2019. Adversarial examples are not bugs, they are features. arXiv preprint arXiv:1905.02175 (2019).

[15]

Xiaojun Jia, Xingxing Wei, Xiaochun Cao, and Hassan Foroosh. 2019. ComDefend: An Efficient Image Compression Model to Defend Adversarial Examples. In CVPR.

[16]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In NIPS.

[17]

Nupur Kumari, Mayank Singh, Abhishek Sinha, Harshitha Machiraju, Balaji Krishnamurthy, and Vineeth N Balasubramanian. 2019. Harnessing the vulnerability of latent layers in adversarially trained models. In IJCAI.

[18]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017a. Adversarial examples in the physical world. In ICLR.

[19]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017b. Adversarial machine learning at scale. In ICLR.

[20]

Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In CVPR.

[21]

Zudi Lin, Hanspeter Pfister, and Ziming Zhang. 2019. White-Box Adversarial Defense via Self-Supervised Data Estimation. arXiv preprint arXiv:1909.06271 (2019).

[22]

Chenxi Liu, Liang-Chieh Chen, Florian Schroff, Hartwig Adam, Wei Hua, Alan L Yuille, and Li Fei-Fei. 2019. Auto-deeplab: Hierarchical neural architecture search for semantic image segmentation. In CVPR.

[23]

Zihao Liu. 2019. Feature Distillation: DNN-Oriented JPEG Compression Against Adversarial Examples. In CVPR.

[24]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In ICLR.

[25]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In CVPR.

[26]

Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016a. The limitations of deep learning in adversarial settings. In EuroS&P.

[27]

Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016b. Distillation as a defense to adversarial perturbations against deep neural networks. In SP. IEEE.

[28]

Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. In ICLR.

[29]

Zezhou Cheng Matheus Gadelha Subhransu Maji Daniel Sheldon. 2019. A bayesian perspective on the Deep Image Prior. In CVPR.

[30]

Yang Song, Taesup Kim, Stefano Ermon, and Nate Kushman. 2018. PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples. In ICLR.

[31]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR.

[32]

Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, and Patrick McDaniel. 2018. Ensemble adversarial training: Attacks and defenses. In ICLR.

[33]

Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander Madry. [n. d.]. Robustness may be at odds with accuracy. In ICLR.

[34]

Dmitry Ulyanov, Andrea Vedaldi, and Victor Lempitsky. 2018. Deep image prior. In CVPR.

[35]

Chaowei Xiao, Jun-Yan Zhu, Bo Li, Warren He, Mingyan Liu, and Dawn Song. 2018. Spatially transformed adversarial examples. arXiv preprint arXiv:1801.02612 (2018).

[36]

Cihang Xie, Yuxin Wu, Laurens van der Maaten, Alan L Yuille, and Kaiming He. 2019 a. Feature denoising for improving adversarial robustness. In CVPR.

[37]

Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, Jianyu Wang, Zhou Ren, and Alan L Yuille. 2019 b. Improving transferability of adversarial examples with input diversity. In CVPR.

[38]

Weilin Xu, David Evans, and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017).

Cited By

Gazzan MSheldon F(2024)Novel Ransomware Detection Exploiting Uncertainty and Calibration Quality Measures Using Deep LearningInformation10.3390/info1505026215:5(262)Online publication date: 5-May-2024
https://doi.org/10.3390/info15050262
Pan ZYangjie CChenxi ZYan ZHaobo WJie L(2024)DefenseFea: An Input Transformation Feature Searching Algorithm Based Latent Space for Adversarial DefenseFoundations of Computing and Decision Sciences10.2478/fcds-2024-000249:1(21-36)Online publication date: 16-Feb-2024
https://doi.org/10.2478/fcds-2024-0002
Chen LYuan WChen TYe GHung NYin H(2024)Adversarial Item Promotion on Visually-Aware Recommender Systems by Guided DiffusionACM Transactions on Information Systems10.1145/366608842:6(1-26)Online publication date: 19-Aug-2024
https://dl.acm.org/doi/10.1145/3666088
Show More Cited By

Index Terms

DIPDefend: Deep Image Prior Driven Defense against Adversarial Examples
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Formal methods and theory of security
    1. Trust frameworks

Recommendations

Attack as defense: characterizing adversarial examples using robustness
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed ...
Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework
MM '21: Proceedings of the 29th ACM International Conference on Multimedia

Deep learning based image classification models are shown vulnerable to adversarial attacks by injecting deliberately crafted noises to clean images. To defend against adversarial attacks in a training-free and attack-agnostic manner, this work proposes ...
Deep image prior based defense against adversarial examples
Highlights
- A defense method against adversarial examples.
- Our method captures the image ...
Abstract
Recently, deep neural networks (DNNs) have shown serious vulnerability to adversarial examples with imperceptible perturbation to clean images. To counter this issue, many powerful defensive methods (e.g., ComDefend) focus on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

October 2020

4889 pages

ISBN:9781450379885

DOI:10.1145/3394171

General Chairs:
Chang Wen Chen
Chinese University of Hong Kong, Shenzhen, China
,
Rita Cucchiara
UNIMORE, Italy
,
Xian-Sheng Hua
Alibaba Group, China
,
Program Chairs:
Guo-Jun Qi
Futurewei Technologies, USA
,
Elisa Ricci
UNITN & Fondazione Bruno Kessler, Italy
,
Zhengyou Zhang
Tencent, China
,
Roger Zimmermann
National University of Singapore, Singapore

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MM '20

Sponsor:

SIGMM

MM '20: The 28th ACM International Conference on Multimedia

October 12 - 16, 2020

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 995 of 4,171 submissions, 24%

Upcoming Conference

MM '24

Sponsor:
sigmm

The 32nd ACM International Conference on Multimedia

October 28 - November 1, 2024

Melbourne , VIC , Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
600
Total Downloads

Downloads (Last 12 months)77
Downloads (Last 6 weeks)4

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gazzan MSheldon F(2024)Novel Ransomware Detection Exploiting Uncertainty and Calibration Quality Measures Using Deep LearningInformation10.3390/info1505026215:5(262)Online publication date: 5-May-2024
https://doi.org/10.3390/info15050262
Pan ZYangjie CChenxi ZYan ZHaobo WJie L(2024)DefenseFea: An Input Transformation Feature Searching Algorithm Based Latent Space for Adversarial DefenseFoundations of Computing and Decision Sciences10.2478/fcds-2024-000249:1(21-36)Online publication date: 16-Feb-2024
https://doi.org/10.2478/fcds-2024-0002
Chen LYuan WChen TYe GHung NYin H(2024)Adversarial Item Promotion on Visually-Aware Recommender Systems by Guided DiffusionACM Transactions on Information Systems10.1145/366608842:6(1-26)Online publication date: 19-Aug-2024
https://dl.acm.org/doi/10.1145/3666088
Sun ZRen YHuang YLiu WZhu H(2024)AFPM: A Low-Cost and Universal Adversarial Defense for Speaker Recognition SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334823219(2273-2287)Online publication date: 2024
https://doi.org/10.1109/TIFS.2023.3348232
Hong PHyun Kang SKim JKim JKyu Lee Y(2023)Adversarial2Adversarial: Defending against Adversarial Fingerprint Attacks without Clean Images2023 14th International Conference on Information and Communication Technology Convergence (ICTC)10.1109/ICTC58733.2023.10392544(1278-1282)Online publication date: 11-Oct-2023
https://doi.org/10.1109/ICTC58733.2023.10392544
Chai XChen ZGan ZZhang YTan Y(2023)RAE-TPE: A Reversible Adversarial Example Generation Method Based on Thumbnail Preserving Encryption2023 IEEE International Conference on Signal Processing, Communications and Computing (ICSPCC)10.1109/ICSPCC59353.2023.10400335(1-6)Online publication date: 14-Nov-2023
https://doi.org/10.1109/ICSPCC59353.2023.10400335
Lee JYang H(2022)Performance Improvement of Image-Reconstruction-Based Defense against Adversarial AttackElectronics10.3390/electronics1115237211:15(2372)Online publication date: 28-Jul-2022
https://doi.org/10.3390/electronics11152372
Qayyum AIlahi IShamshad FBoussaid FBennamoun MQadir J(2022)Untrained Neural Network Priors for Inverse Imaging Problems: A SurveyIEEE Transactions on Pattern Analysis and Machine Intelligence10.1109/TPAMI.2022.3204527(1-20)Online publication date: 2022
https://doi.org/10.1109/TPAMI.2022.3204527
Liu GLi SQian ZZhang X(2022)HF-Defend: Defending Against Adversarial Examples Based on Halftoning2022 IEEE 24th International Workshop on Multimedia Signal Processing (MMSP)10.1109/MMSP55362.2022.9948798(1-6)Online publication date: 26-Sep-2022
https://doi.org/10.1109/MMSP55362.2022.9948798
Chen KZeng XYing QLi SQian ZZhang X(2022)Invertible Image Dataset Protection2022 IEEE International Conference on Multimedia and Expo (ICME)10.1109/ICME52920.2022.9859698(01-06)Online publication date: 18-Jul-2022
https://doi.org/10.1109/ICME52920.2022.9859698
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents