research-article

Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework

Authors:

Z. Jane WangAuthors Info & Claims

MM '21: Proceedings of the 29th ACM International Conference on Multimedia

Pages 4564 - 4572

https://doi.org/10.1145/3474085.3475614

Published: 17 October 2021 Publication History

Abstract

Deep learning based image classification models are shown vulnerable to adversarial attacks by injecting deliberately crafted noises to clean images. To defend against adversarial attacks in a training-free and attack-agnostic manner, this work proposes a novel and effective reconstruction-based defense framework by delving into deep image prior (DIP). Fundamentally different from existing reconstruction-based defenses, the proposed method analyzes and explicitly incorporates the model decision process into our defense. Given an adversarial image, firstly we map its reconstructed images during DIP optimization to the model decision space, where cross-boundary images can be detected and on-boundary images can be further localized. Then, adversarial noise is purified by perturbing on-boundary images along the reverse direction to the adversarial image. Finally, on-manifold images are stitched to construct an image that can be correctly predicted by the victim classifier. Extensive experiments demonstrate that the proposed method outperforms existing state-of-the-art reconstruction-based methods both in defending white-box attacks and defense-aware attacks. Moreover, the proposed method can maintain a high visual quality during adversarial image reconstruction.

Supplementary Material

ZIP File (mfp2462aux.zip)

Appendices (i.e. Appendix A - Appendix F in .pdf format) for Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework.

Download
4.68 MB

References

[1]

Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning. PMLR, 274--283.

[2]

Nicholas Carlini, Anish Athalye, Nicolas Papernot, Wieland Brendel, Jonas Rauber, Dimitris Tsipras, Ian Goodfellow, Aleksander Madry, and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705 (2019).

[3]

Nicholas Carlini and David Wagner. 2017. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. 3--14.

Digital Library

[4]

Jianbo Chen, Michael I Jordan, and Martin J Wainwright. 2020. Hopskipjumpattack: A query-efficient decision-based attack. In 2020 ieee symposium on security and privacy (sp). IEEE, 1277--1294.

[5]

Tao Dai, Yan Feng, Dongxian Wu, Bin Chen, Jian Lu, Yong Jiang, and Shu-Tao Xia. 2020. DIPDefend: Deep Image Prior Driven Defense against Adversarial Examples. In Proceedings of the 28th ACM International Conference on Multimedia. 1404--1412.

Digital Library

[6]

Jia Deng, Wei Dong, Richard Socher, Li-Jia Li, Kai Li, and Li Fei-Fei. 2009. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition. Ieee, 248--255.

[7]

Yinpeng Dong, Qi-An Fu, Xiao Yang, Tianyu Pang, Hang Su, Zihao Xiao, and Jun Zhu. 2020. Benchmarking adversarial robustness on image classification. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 321--331.

[8]

Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. 2018. Boosting adversarial attacks with momentum. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 9185--9193.

[9]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. International Conference on Learning Representations (2015), 1--11.

[10]

Chuan Guo, Mayank Rana, Moustapha Cisse, and Laurens Van Der Maaten. 2017. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117 (2017).

[11]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.

[12]

Xiaojun Jia, Xingxing Wei, Xiaochun Cao, and Hassan Foroosh. 2019. Comdefend: An efficient image compression model to defend adversarial examples. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 6084--6092.

[13]

Andreas Kattamis, Tameem Adel, and Adrian Weller. 2019. Exploring properties of the deep image prior. (2019).

[14]

Alex Krizhevsky, Geoffrey Hinton, et almbox. 2009. Learning multiple layers of features from tiny images. (2009).

[15]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial machine learning at scale. International Conference on Learning Representations (2017).

[16]

Alexey Kurakin, Ian Goodfellow, Samy Bengio, Yinpeng Dong, Fangzhou Liao, Ming Liang, Tianyu Pang, Jun Zhu, Xiaolin Hu, Cihang Xie, et almbox. 2018. Adversarial attacks and defences competition. In The NIPS'17 Competition: Building Intelligent Systems. Springer, 195--231.

[17]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. International Conference on Learning Representations (2018).

[18]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574--2582.

[19]

Aamir Mustafa, Salman H Khan, Munawar Hayat, Jianbing Shen, and Ling Shao. 2019. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing, Vol. 29 (2019), 1711--1724.

Digital Library

[20]

Muzammal Naseer, Salman Khan, Munawar Hayat, Fahad Shahbaz Khan, and Fatih Porikli. 2020. A self-supervised approach for adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 262--271.

[21]

Olaf Ronneberger, Philipp Fischer, and Thomas Brox. 2015. U-net: Convolutional networks for biomedical image segmentation. In International Conference on Medical image computing and computer-assisted intervention. Springer, 234--241.

[22]

Jérôme Rony, Luiz G Hafemann, Luiz S Oliveira, Ismail Ben Ayed, Robert Sabourin, and Eric Granger. 2019. Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4322--4330.

[23]

Yu Shi, Cien Fan, Lian Zou, Caixia Sun, and Yifeng Liu. 2020. Unsupervised Adversarial Defense through Tandem Deep Image Priors. Electronics, Vol. 9, 11 (2020), 1957.

[24]

Richard Evan Sutanto and Sukho Lee. 2020. Adversarial attack defense based on the deep image prior network. In Information science and applications. Springer, 519--526.

[25]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. International Conference on Learning Representations (2014).

[26]

Dmitry Ulyanov, Andrea Vedaldi, and Victor Lempitsky. 2018. Deep image prior. In Proceedings of the IEEE conference on computer vision and pattern recognition. 9446--9454.

[27]

Yongwei Wang, Xin Ding, Yixin Yang, Li Ding, Rabab Ward, and Z Jane Wang. 2021. Perception Matters: Exploring Imperceptible and Transferable Anti-forensics for GAN-generated Fake Face Imagery Detection. Pattern Recognition Letters (2021).

[28]

Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. 2004. Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing, Vol. 13, 4 (2004), 600--612.

Digital Library

[29]

Chang Xiao and Changxi Zheng. 2020. One Man's Trash Is Another Man's Treasure: Resisting Adversarial Examples by Adversarial Examples. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 412--421.

[30]

Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan Yuille. 2017. Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991 (2017).

[31]

Cihang Xie, Yuxin Wu, Laurens van der Maaten, Alan L Yuille, and Kaiming He. 2019 a. Feature denoising for improving adversarial robustness. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 501--509.

[32]

Cihang Xie, Zhishuai Zhang, Jianyu Wang, Yuyin Zhou, Zhou Ren, and Alan Yuille. 2019 b. Improving transferability of adversarial examples with input diversity. Proceedings of the IEEE conference on computer vision and pattern recognition (2019).

[33]

Xiaoyong Yuan, Pan He, Qile Zhu, and Xiaolin Li. 2019. Adversarial examples: Attacks and defenses for deep learning. IEEE transactions on neural networks and learning systems, Vol. 30, 9 (2019), 2805--2824.

[34]

Jingfeng Zhang, Jianing Zhu, Gang Niu, Bo Han, Masashi Sugiyama, and Mohan Kankanhalli. 2021. Geometry-aware instance-reweighted adversarial training. International Conference on Learning Representations (2021).

Cited By

Sun ZRen YHuang YLiu WZhu H(2024)AFPM: A Low-Cost and Universal Adversarial Defense for Speaker Recognition SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334823219(2273-2287)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2023.3348232
Wang YLi YShen ZQiao Y(2023)Reversing skin cancer adversarial examples by multiscale diffusive and denoising aggregation mechanismComputers in Biology and Medicine10.1016/j.compbiomed.2023.107310164(107310)Online publication date: Sep-2023
https://doi.org/10.1016/j.compbiomed.2023.107310
Zhu SLyu WLi BYin ZLuo B(2023)Adversarial Example Defense via Perturbation Grading StrategyDigital Multimedia Communications10.1007/978-981-99-0856-1_30(407-420)Online publication date: 10-Mar-2023
https://doi.org/10.1007/978-981-99-0856-1_30

Index Terms

Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework
1. Computing methodologies
  1. Artificial intelligence
    1. Computer vision
2. Security and privacy
  1. Formal methods and theory of security
    1. Trust frameworks

Recommendations

DIPDefend: Deep Image Prior Driven Defense against Adversarial Examples
MM '20: Proceedings of the 28th ACM International Conference on Multimedia

Deep neural networks (DNNs) have shown serious vulnerability to adversarial examples with imperceptible perturbation to clean images. Most existing input-transformation based defense methods (e.g., ComDefend) rely heavily on the learned external priors ...
Adversarial attacks and defenses in deep learning for image recognition: A survey
Highlights
- Introducing the concepts of adversarial examples and adversarial learning.
- ...
Abstract
In recent years, researches on adversarial attacks and defense mechanisms have obtained much attention. It’s observed that adversarial examples crafted with small malicious perturbations would mislead the deep neural network (DNN) ...
Deep image prior based defense against adversarial examples
Highlights
- A defense method against adversarial examples.
- Our method captures the image ...
Abstract
Recently, deep neural networks (DNNs) have shown serious vulnerability to adversarial examples with imperceptible perturbation to clean images. To counter this issue, many powerful defensive methods (e.g., ComDefend) focus on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MM '21: Proceedings of the 29th ACM International Conference on Multimedia

October 2021

5796 pages

ISBN:9781450386517

DOI:10.1145/3474085

General Chairs:
Heng Tao Shen
University of Electronic Science&Technology of China, China
,
Yueting Zhuang
Zhejiang University, China
,
John R. Smith
IBM, USA
,
Program Chairs:
Yang Yang
University of Electronic Science and Technology of China, China
,
Pablo Cesar
CWI&TU Delft, The Netherlands
,
Florian Metze
FACEBOOK, Inc., USA
,
Balakrishnan Prabhakaran
University of Texas at Dallas, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

MM '21

Sponsor:

SIGMM

MM '21: ACM Multimedia Conference

October 20 - 24, 2021

Virtual Event, China

Acceptance Rates

Overall Acceptance Rate 995 of 4,171 submissions, 24%

Upcoming Conference

MM '24

Sponsor:
sigmm

The 32nd ACM International Conference on Multimedia

October 28 - November 1, 2024

Melbourne , VIC , Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
171
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)2

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sun ZRen YHuang YLiu WZhu H(2024)AFPM: A Low-Cost and Universal Adversarial Defense for Speaker Recognition SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.334823219(2273-2287)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2023.3348232
Wang YLi YShen ZQiao Y(2023)Reversing skin cancer adversarial examples by multiscale diffusive and denoising aggregation mechanismComputers in Biology and Medicine10.1016/j.compbiomed.2023.107310164(107310)Online publication date: Sep-2023
https://doi.org/10.1016/j.compbiomed.2023.107310
Zhu SLyu WLi BYin ZLuo B(2023)Adversarial Example Defense via Perturbation Grading StrategyDigital Multimedia Communications10.1007/978-981-99-0856-1_30(407-420)Online publication date: 10-Mar-2023
https://doi.org/10.1007/978-981-99-0856-1_30

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents