Abstract
Susceptibility to adversarial examples is one of the major concerns in convolutional neural networks (CNNs) applications. Training the model with adversarial examples, known as adversarial training, is a common countermeasure to tackle such attacks. In reality, however, defenders are uninformed about how adversarial examples are generated by the attacker. Therefore, it is pivotal to utilize more general alternatives to intrinsically improve the robustness of models. For this purpose, we train CNNs with perturbed samples manipulated by various transformations and contaminated by different noises to foster robustness of networks against adversarial attacks. This idea derived from the fact that both adversarial and noisy samples undermine the classifier accuracy. We propose combination of a convolutional denoising autoencoder with a classifier (CDAEC) as a defensive structure. The proposed method does not add to the computational cost. Experimental results on MNIST database demonstrate that the accuracy of CDAEC trained by perturbed samples against adversarial attacks was more than 71.29%.
Similar content being viewed by others
Notes
DFOBM, GBM and TM refer to the average of LBFGS and CW attacks, the average of FGSM, MI-FGSM and PGD attacks, and STM attack respectively.
References
Boyat AK, Joshi BK (2015) A review paper: noise models in digital image processing. arXiv:1505.03489
Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (sp). IEEE, pp 39–57
Creswell A, Bharath AA (2018) Denoising adversarial autoencoders. IEEE Trans Neural Netw Learn Syst 30(4):968–984
Deng T, Zeng Z (2019) Generate adversarial examples by spatially perturbing on the meaningful area. Pattern Recogn Lett 125:632–638
Diale M, Celik T, Van Der Walt C (2019) Unsupervised feature learning for spam email filtering. Comput Electr Eng 74:89–104
Ding GW, Wang L, Jin X (2019) AdverTorch v0.1: an adversarial robustness toolbox based on pytorch. arXiv:1902.07623
Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 9185–9193
Ford N, Gilmer J, Carlini N, Cubuk D (2019) Adversarial examples are a natural consequence of test error in noise. arXiv:1901.10513
Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. arXiv:1412.6572
Gu S, Rigazio L (2014) Towards deep neural network architectures robust to adversarial examples. arXiv:1412.5068
Hashemi AS, Mozaffari S (2019) Secure deep neural networks using adversarial image generation and training with Noise-GAN. Comput Secur 86:372–387
He Z, Rakin AS, Fan D (2019) Parametric noise injection: trainable randomness to improve deep neural network robustness against adversarial attack. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 588–597
He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 770–778
Hendrycks D, Dietterich TG (2018) Benchmarking neural network robustness to common corruptions and surface variations. arXiv:1807.01697
Hu H, Li Y, Zhu Z, Zhou G (2018) CNNAuth: continuous authentication via two-stream convolutional neural networks. In: 2018 IEEE International conference on networking, architecture and storage (NAS). IEEE, pp 1–9
Jeong JH, Kwon S, Hong M-P, Kwak J, Shon T (2019) Adversarial attack-based security vulnerability verification using deep learning library for multimedia video surveillance. Multimed Tools Applic, 1–15
Karpathy A, et al. (2016) Cs231n convolutional neural networks for visual recognition. Neur Netw, 1(1)
Khamparia A, Saini G, Pandey B, Tiwari S, Gupta D, Khanna A (2019) KDSAE: chronic kidney disease classification with multimedia data learning using deep stacked autoencoder network. Multimedia Tools and Applications, 1–16
Kurakin A, Goodfellow I, Bengio S (2016) Adversarial examples in the physical world. arXiv:1607.02533
Kurakin A, Goodfellow I, Bengio S, Dong Y, Liao F, Liang M, Pang T, Zhu J, Hu X, Xie C et al (2018) Adversarial attacks and defences competition. In: The NIPS’17 competition: building intelligent systems. Springer, pp 195–231
Kwon H, Kim Y, Park K-W, Yoon H, Choi D (2018) Friend-safe evasion attack: an adversarial example that is correctly recognized by a friendly classifier. Comput Secur 78:380–397
LeCun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324
LeCun Y, Cortes C, Burges CJ (2010) MNIST handwritten digit database
Li Y, Hu H, Zhu Z, Zhou G SCANet: sensor-based continuous authentication with two-stream convolutional neural networks. ACM Transactions on Sensor Networks (TOSN)
Liu Y, Chen X, Liu C, Song D (2016) Delving into transferable adversarial examples and black-box attacks. arXiv:1611.02770
Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2017) Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083
Prakash A, Moran N, Garber S, DiLillo A, Storer J (2018) Deflecting adversarial attacks with pixel deflection. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 8571–8580
Song X, Rui T, Zhang S, Fei J, Wang X (2018) A road segmentation method based on the deep auto-encoder with supervised learning. Comput Electr Eng 68:381–388
Spigler G (2019) Denoising autoencoders for overgeneralization in neural networks. IEEE Trans Pattern Anal Mach Intell 42(4):998–1004
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv:1312.6199
Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2017) Ensemble adversarial training: attacks and defenses. arXiv:1705.07204
Vincent P, Larochelle H, Bengio Y, Manzagol P-A (2008) Extracting and composing robust features with denoising autoencoders. In: Proceedings of the 25th international conference on machine learning, pp 1096–1103
Wei X, Wang H, Scotney B, Wan H (2020) Minimum margin loss for deep face recognition. Pattern Recogn 97:107012
Xiao C, Zhu J-Y, Li B, He W, Liu M, Song D (2018) Spatially transformed adversarial examples. arXiv:1801.02612
Xie C, Zhang Z, Zhou Z, Bai S, Wang J, Ren Z, Yuille AL (2019) Improving transferability of adversarial examples with input diversity. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2730–2739
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Hashemi, A.S., Mozaffari, S. CNN adversarial attack mitigation using perturbed samples training. Multimed Tools Appl 80, 22077–22095 (2021). https://doi.org/10.1007/s11042-020-10379-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-020-10379-6