Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Advertisement

SpringerLink
Log in

CNN adversarial attack mitigation using perturbed samples training

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Susceptibility to adversarial examples is one of the major concerns in convolutional neural networks (CNNs) applications. Training the model with adversarial examples, known as adversarial training, is a common countermeasure to tackle such attacks. In reality, however, defenders are uninformed about how adversarial examples are generated by the attacker. Therefore, it is pivotal to utilize more general alternatives to intrinsically improve the robustness of models. For this purpose, we train CNNs with perturbed samples manipulated by various transformations and contaminated by different noises to foster robustness of networks against adversarial attacks. This idea derived from the fact that both adversarial and noisy samples undermine the classifier accuracy. We propose combination of a convolutional denoising autoencoder with a classifier (CDAEC) as a defensive structure. The proposed method does not add to the computational cost. Experimental results on MNIST database demonstrate that the accuracy of CDAEC trained by perturbed samples against adversarial attacks was more than 71.29%.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. DFOBM, GBM and TM refer to the average of LBFGS and CW attacks, the average of FGSM, MI-FGSM and PGD attacks, and STM attack respectively.

References

  1. Boyat AK, Joshi BK (2015) A review paper: noise models in digital image processing. arXiv:1505.03489

  2. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (sp). IEEE, pp 39–57

  3. Creswell A, Bharath AA (2018) Denoising adversarial autoencoders. IEEE Trans Neural Netw Learn Syst 30(4):968–984

    Article  Google Scholar 

  4. Deng T, Zeng Z (2019) Generate adversarial examples by spatially perturbing on the meaningful area. Pattern Recogn Lett 125:632–638

    Article  Google Scholar 

  5. Diale M, Celik T, Van Der Walt C (2019) Unsupervised feature learning for spam email filtering. Comput Electr Eng 74:89–104

    Article  Google Scholar 

  6. Ding GW, Wang L, Jin X (2019) AdverTorch v0.1: an adversarial robustness toolbox based on pytorch. arXiv:1902.07623

  7. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 9185–9193

  8. Ford N, Gilmer J, Carlini N, Cubuk D (2019) Adversarial examples are a natural consequence of test error in noise. arXiv:1901.10513

  9. Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. arXiv:1412.6572

  10. Gu S, Rigazio L (2014) Towards deep neural network architectures robust to adversarial examples. arXiv:1412.5068

  11. Hashemi AS, Mozaffari S (2019) Secure deep neural networks using adversarial image generation and training with Noise-GAN. Comput Secur 86:372–387

    Article  Google Scholar 

  12. He Z, Rakin AS, Fan D (2019) Parametric noise injection: trainable randomness to improve deep neural network robustness against adversarial attack. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 588–597

  13. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 770–778

  14. Hendrycks D, Dietterich TG (2018) Benchmarking neural network robustness to common corruptions and surface variations. arXiv:1807.01697

  15. Hu H, Li Y, Zhu Z, Zhou G (2018) CNNAuth: continuous authentication via two-stream convolutional neural networks. In: 2018 IEEE International conference on networking, architecture and storage (NAS). IEEE, pp 1–9

  16. Jeong JH, Kwon S, Hong M-P, Kwak J, Shon T (2019) Adversarial attack-based security vulnerability verification using deep learning library for multimedia video surveillance. Multimed Tools Applic, 1–15

  17. Karpathy A, et al. (2016) Cs231n convolutional neural networks for visual recognition. Neur Netw, 1(1)

  18. Khamparia A, Saini G, Pandey B, Tiwari S, Gupta D, Khanna A (2019) KDSAE: chronic kidney disease classification with multimedia data learning using deep stacked autoencoder network. Multimedia Tools and Applications, 1–16

  19. Kurakin A, Goodfellow I, Bengio S (2016) Adversarial examples in the physical world. arXiv:1607.02533

  20. Kurakin A, Goodfellow I, Bengio S, Dong Y, Liao F, Liang M, Pang T, Zhu J, Hu X, Xie C et al (2018) Adversarial attacks and defences competition. In: The NIPS’17 competition: building intelligent systems. Springer, pp 195–231

  21. Kwon H, Kim Y, Park K-W, Yoon H, Choi D (2018) Friend-safe evasion attack: an adversarial example that is correctly recognized by a friendly classifier. Comput Secur 78:380–397

    Article  Google Scholar 

  22. LeCun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324

    Article  Google Scholar 

  23. LeCun Y, Cortes C, Burges CJ (2010) MNIST handwritten digit database

  24. Li Y, Hu H, Zhu Z, Zhou G SCANet: sensor-based continuous authentication with two-stream convolutional neural networks. ACM Transactions on Sensor Networks (TOSN)

  25. Liu Y, Chen X, Liu C, Song D (2016) Delving into transferable adversarial examples and black-box attacks. arXiv:1611.02770

  26. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2017) Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083

  27. Prakash A, Moran N, Garber S, DiLillo A, Storer J (2018) Deflecting adversarial attacks with pixel deflection. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 8571–8580

  28. Song X, Rui T, Zhang S, Fei J, Wang X (2018) A road segmentation method based on the deep auto-encoder with supervised learning. Comput Electr Eng 68:381–388

    Article  Google Scholar 

  29. Spigler G (2019) Denoising autoencoders for overgeneralization in neural networks. IEEE Trans Pattern Anal Mach Intell 42(4):998–1004

    Article  Google Scholar 

  30. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv:1312.6199

  31. Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2017) Ensemble adversarial training: attacks and defenses. arXiv:1705.07204

  32. Vincent P, Larochelle H, Bengio Y, Manzagol P-A (2008) Extracting and composing robust features with denoising autoencoders. In: Proceedings of the 25th international conference on machine learning, pp 1096–1103

  33. Wei X, Wang H, Scotney B, Wan H (2020) Minimum margin loss for deep face recognition. Pattern Recogn 97:107012

    Article  Google Scholar 

  34. Xiao C, Zhu J-Y, Li B, He W, Liu M, Song D (2018) Spatially transformed adversarial examples. arXiv:1801.02612

  35. Xie C, Zhang Z, Zhou Z, Bai S, Wang J, Ren Z, Yuille AL (2019) Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2730–2739

Download references

Author information

Authors and Affiliations

  1. Faculty of Electrical and Computer Engineering, Semnan University, Semnan, Iran

    Atiye Sadat Hashemi & Saeed Mozaffari

Authors
  1. Atiye Sadat Hashemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Saeed Mozaffari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saeed Mozaffari.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hashemi, A.S., Mozaffari, S. CNN adversarial attack mitigation using perturbed samples training. Multimed Tools Appl 80, 22077–22095 (2021). https://doi.org/10.1007/s11042-020-10379-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-020-10379-6

Keywords

Search

Navigation