research-article

Public Access

SHIELD: Fast, Practical Defense and Vaccination for Deep Learning using JPEG Compression

Authors:

Madhuri Shanbhogue,

Shang-Tse Chen,

Michael E. Kounavis,

Duen Horng ChauAuthors Info & Claims

KDD '18: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining

Pages 196 - 204

https://doi.org/10.1145/3219819.3219910

Published: 19 July 2018 Publication History

Abstract

The rapidly growing body of research in adversarial machine learning has demonstrated that deep neural networks (DNNs) are highly vulnerable to adversarially generated images. This underscores the urgent need for practical defense techniques that can be readily deployed to combat attacks in real-time. Observing that many attack strategies aim to perturb image pixels in ways that are visually imperceptible, we place JPEG compression at the core of our proposed SHIELD defense framework, utilizing its capability to effectively "compress away" such pixel manipulation. To immunize a DNN model from artifacts introduced by compression, SHIELD "vaccinates" the model by retraining it with compressed images, where different compression levels are applied to generate multiple vaccinated models that are ultimately used together in an ensemble defense. On top of that, SHIELD adds an additional layer of protection by employing randomization at test time that compresses different regions of an image using random compression levels, making it harder for an adversary to estimate the transformation performed. This novel combination of vaccination, ensembling, and randomization makes SHIELD a fortified multi-pronged defense. We conducted extensive, large-scale experiments using the ImageNet dataset, and show that our approaches eliminate up to 98% of gray-box attacks delivered by strong adversarial techniques such as Carlini-Wagner's L2 attack and DeepFool. Our approaches are fast and work without requiring knowledge about the model.

References

[1]

Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. arXiv preprint arXiv:1802.00420 (2018).

[2]

Anish Athalye and Ilya Sutskever. 2017. Synthesizing robust adversarial examples. arXiv preprint arXiv:1707.07397 (2017).

[3]

Arjun Nitin Bhagoji, Daniel Cullina, and Prateek Mittal. 2017. Dimensionality Reduction as a Defense against Evasion Attacks on Machine Learning Classifiers. arXiv preprint arXiv:1704.02654 (2017).

[4]

Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 39--57.

[5]

Shang-Tse Chen, Yufei Han, Duen Horng Chau, Christopher Gates, Michael Hart, and Kevin A Roundy. 2017. Predicting Cyber Threats with Virtual Security Products Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, 189--199.

Digital Library

[6]

Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman, Li Chen, Michael E Kounavis, and Duen Horng Chau. 2017. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900 (2017).

[7]

Gintare Karolina Dziugaite, Zoubin Ghahramani, and Daniel M Roy. 2016. A study of the effect of JPG compression on adversarial images. arXiv preprint arXiv:1608.00853 (2016).

[8]

Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song. 2017. Robust physical-world attacks on machine learning models. arXiv preprint arXiv:1707.08945 (2017).

[9]

Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Dawn Song, Tadayoshi Kohno, Amir Rahmati, Atul Prakash, and Florian Tramer. 2017. Note on Attacking Object Detectors with Adversarial Stickers. arXiv preprint arXiv:1712.08062 (2017).

[10]

Reuben Feinman, Ryan R Curtin, Saurabh Shintre, and Andrew B Gardner. 2017. Detecting Adversarial Samples from Artifacts. arXiv preprint arXiv:1703.00410 (2017).

[11]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. In ICLR.

[12]

Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, and Patrick McDaniel. 2016. Adversarial perturbations against deep neural networks for malware classification. arXiv preprint arXiv:1606.04435 (2016).

[13]

Shixiang Gu and Luca Rigazio. 2014. Towards deep neural network architectures robust to adversarial examples. arXiv preprint arXiv:1412.5068 (2014).

[14]

Chuan Guo, Mayank Rana, Moustapha Cissé, and Laurens van der Maaten. 2018. Countering Adversarial Images using Input Transformations. International Conference on Learning Representations (2018).

[15]

Weiwei Hu and Ying Tan. 2017. Generating Adversarial Malware Examples for Black-Box Attacks Based on GAN. arXiv preprint arXiv:1702.05983 (2017).

[16]

Sandy Huang, Nicolas Papernot, Ian Goodfellow, Yan Duan, and Pieter Abbeel. 2017. Adversarial attacks on neural network policies. arXiv preprint arXiv:1702.02284 (2017).

[17]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks Advances in neural information processing systems. 1097--1105.

Digital Library

[18]

Dmitry Krotov and John J Hopfield. 2017. Dense Associative Memory is Robust to Adversarial Inputs. arXiv preprint arXiv:1701.00939 (2017).

[19]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016).

[20]

Yen-Chen Lin, Zhang-Wei Hong, Yuan-Hong Liao, Meng-Li Shih, Ming-Yu Liu, and Min Sun. 2017. Tactics of Adversarial Attack on Deep Reinforcement Learning Agents. arXiv preprint arXiv:1703.06748 (2017).

Digital Library

[21]

Yan Luo, Xavier Boix, Gemma Roig, Tomaso Poggio, and Qi Zhao. 2015. Foveation-based mechanisms alleviate adversarial examples. arXiv preprint arXiv:1511.06292 (2015).

[22]

Jan Hendrik Metzen, Tim Genewein, Volker Fischer, and Bastian Bischoff. 2017. On detecting adversarial perturbations. In ICLR.

[23]

Seyed Mohsen Moosavi Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In CVPR.

[24]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks CVPR.

[25]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17). 506--519.

Digital Library

[26]

Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016 c. Distillation as a defense to adversarial perturbations against deep neural networks IEEE Symposium on Security and Privacy. 582--597.

[27]

Nicolas Papernot, Patrick D. McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. 2016. The Limitations of Deep Learning in Adversarial Settings IEEE European Symposium on Security and Privacy, EuroS&EP 2016, Saarbrücken, Germany, March 21--24, 2016. 372--387.

[28]

Nicolas Papernot, Patrick D. McDaniel, Ananthram Swami, and Richard E. Harang. 2016. Crafting adversarial input sequences for recurrent neural networks 2016 IEEE Military Communications Conference, MILCOM. 49--54.

[29]

Rajeev Ranjan, Swami Sankaranarayanan, Carlos D Castillo, and Rama Chellappa. 2017. Improving Network Robustness against Adversarial Attacks with Compact Convolution. arXiv preprint arXiv:1712.00699 (2017).

[30]

Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K Reiter. 2016. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1528--1540.

Digital Library

[31]

Richard Shin and Dawn Song. 2017. JPEG-resistant Adversarial Images. NIPS 2017 Workshop on Machine Learning and Computer Security (2017).

[32]

Thilo Strauss, Markus Hanselmann, Andrej Junginger, and Holger Ulmer. 2017. Ensemble methods as a defense to adversarial perturbations against deep neural networks. arXiv preprint arXiv:1709.03423 (2017).

[33]

Christian Szegedy, Google Inc, Wojciech Zaremba, Ilya Sutskever, Google Inc, Joan Bruna, Dumitru Erhan, Google Inc, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In ICLR.

[34]

Acar Tamersoy, Kevin Roundy, and Duen Horng Chau. 2014. Guilt by association: large scale malware detection by mining file-relation graphs Proceedings of the 20th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 1524--1533.

Digital Library

[35]

Weilin Xu, David Evans, and Yanjun Qi. 2018. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks Proceedings of the 2018 Network and Distributed Systems Security Symposium (NDSS).

Cited By

Zhao JXie LGu SQin ZZhang YWang ZHu Y(2025)Universal attention guided adversarial defense using feature pyramid and non-local mechanismsScientific Reports10.1038/s41598-025-89267-815:1Online publication date: 12-Feb-2025
https://doi.org/10.1038/s41598-025-89267-8
Chen LYuan WChen TYe GHung NYin H(2024)Adversarial Item Promotion on Visually-Aware Recommender Systems by Guided DiffusionACM Transactions on Information Systems10.1145/366608842:6(1-26)Online publication date: 19-Aug-2024
https://dl.acm.org/doi/10.1145/3666088
Sun HFu LLi JGuo QMeng ZZhang TLin YYu H(2024)Defense against Adversarial Cloud Attack on Remote Sensing Salient Object Detection2024 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)10.1109/WACV57701.2024.00816(8330-8339)Online publication date: 3-Jan-2024
https://doi.org/10.1109/WACV57701.2024.00816
Show More Cited By

Index Terms

SHIELD: Fast, Practical Defense and Vaccination for Deep Learning using JPEG Compression
1. Computing methodologies

Recommendations

StratDef: Strategic defense against adversarial attacks in ML-based malware detection
Abstract
Over the years, most research towards defenses against adversarial attacks on machine learning models has been in the image recognition domain. The ML-based malware detection domain has received less attention despite its importance. Moreover, ...
Poisoning Attacks on Algorithmic Fairness
Machine Learning and Knowledge Discovery in Databases
Abstract
Research in adversarial machine learning has shown how the performance of machine learning models can be seriously compromised by injecting even a small fraction of poisoning points into the training data. While the effects on model accuracy of ...
Adversarial machine learning in IoT from an insider point of view
Abstract
With the rapid progress and significant successes in various applications, machine learning has been considered a crucial component in the Internet of Things ecosystem. However, machine learning models have recently been vulnerable to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

KDD '18: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining

July 2018

2925 pages

ISBN:9781450355520

DOI:10.1145/3219819

General Chairs:
Yike Guo
Imperial College London
,
Faisal Farooq
IBM

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

KDD '18

Sponsor:

KDD '18: The 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

August 19 - 23, 2018

London, United Kingdom

Acceptance Rates

KDD '18 Paper Acceptance Rate 107 of 983 submissions, 11%;

Overall Acceptance Rate 1,133 of 8,635 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

107
Total Citations
View Citations
1,848
Total Downloads

Downloads (Last 12 months)322
Downloads (Last 6 weeks)50

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhao JXie LGu SQin ZZhang YWang ZHu Y(2025)Universal attention guided adversarial defense using feature pyramid and non-local mechanismsScientific Reports10.1038/s41598-025-89267-815:1Online publication date: 12-Feb-2025
https://doi.org/10.1038/s41598-025-89267-8
Chen LYuan WChen TYe GHung NYin H(2024)Adversarial Item Promotion on Visually-Aware Recommender Systems by Guided DiffusionACM Transactions on Information Systems10.1145/366608842:6(1-26)Online publication date: 19-Aug-2024
https://dl.acm.org/doi/10.1145/3666088
Sun HFu LLi JGuo QMeng ZZhang TLin YYu H(2024)Defense against Adversarial Cloud Attack on Remote Sensing Salient Object Detection2024 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)10.1109/WACV57701.2024.00816(8330-8339)Online publication date: 3-Jan-2024
https://doi.org/10.1109/WACV57701.2024.00816
Yang MCai JYang ZWang XKashif Bashir AAl Dabel MFeng HFang K(2024)Insect Recognition Method With Strong Anti-Interference Capability for Next-Generation Consumer Imaging TechnologyIEEE Transactions on Consumer Electronics10.1109/TCE.2024.341156770:4(7183-7194)Online publication date: Nov-2024
https://doi.org/10.1109/TCE.2024.3411567
Zhang SLin YYu JZhang JXuan QXu DWang JWang M(2024)HFAD: Homomorphic Filtering Adversarial Defense Against Adversarial Attacks in Automatic Modulation ClassificationIEEE Transactions on Cognitive Communications and Networking10.1109/TCCN.2024.336051410:3(880-892)Online publication date: Jun-2024
https://doi.org/10.1109/TCCN.2024.3360514
Zhang HLi XTang JPeng CWang YZhang NMiao YLiu XChoo K(2024)Hiding in Plain Sight: Adversarial Attack via Style Transfer on Image BordersIEEE Transactions on Computers10.1109/TC.2024.341676173:10(2405-2419)Online publication date: Oct-2024
https://doi.org/10.1109/TC.2024.3416761
Qiu HZeng YZheng QGuo SZhang TLi H(2024)An Efficient Preprocessing-Based Approach to Mitigate Advanced Adversarial AttacksIEEE Transactions on Computers10.1109/TC.2021.307682673:3(645-655)Online publication date: Mar-2024
https://doi.org/10.1109/TC.2021.3076826
Mohammad Mahdee Jameel AMohamed AYi JGamal AMalhotra A(2024)Data-Driven Subsampling in the Presence of an Adversarial Actor2024 IEEE International Conference on Machine Learning for Communication and Networking (ICMLCN)10.1109/ICMLCN59089.2024.10625118(189-194)Online publication date: 5-May-2024
https://doi.org/10.1109/ICMLCN59089.2024.10625118
Yin PChen WZheng JZhang YWu L(2024)Privacy Protection for Image Sharing Using Reversible Adversarial ExamplesICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10623090(1170-1175)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10623090
Bhusal DAlam MVeerabhadran MClifford MRampazzi SRastogi N(2024)PASA: Attack Agnostic Unsupervised Adversarial Detection Using Prediction & Attribution Sensitivity Analysis2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00010(21-40)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00010
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten