Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

(Compress and Restore)N: A Robust Defense Against Adversarial Attacks on Image Classification

(Compress and Restore)N: A Robust Defense Against Adversarial Attacks on Image Classification Modern image classification approaches often rely on deep neural networks, which have shown pronounced weakness to adversarial examples: images corrupted with specifically designed yet imperceptible noise that causes the network to misclassify. In this article, we propose a conceptually simple yet robust solution to tackle adversarial attacks on image classification. Our defense works by first applying a JPEG compression with a random quality factor; compression artifacts are subsequently removed by means of a generative model Artifact Restoration GAN. The process can be iterated ensuring the image is not degraded and hence the classification not compromised. We train different AR-GANs for different compression factors, so that we can change its parameters dynamically at each iteration depending on the current compression, making the gradient approximation difficult. We experiment with our defense against three white-box and two black-box attacks, with a particular focus on the state-of-the-art BPDA attack. Our method does not require any adversarial training, and is independent of both the classifier and the attack. Experiments demonstrate that dynamically changing the AR-GAN parameters is of fundamental importance to obtain significant robustness. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png ACM Transactions on Multimedia Computing Communications and Applications (TOMCCAP) Association for Computing Machinery

(Compress and Restore)N: A Robust Defense Against Adversarial Attacks on Image Classification

Download PDF
16 pages

Loading next page...
 
/lp/association-for-computing-machinery/compress-and-restore-n-a-robust-defense-against-adversarial-attacks-on-eOYwYbE9da
Publisher
Association for Computing Machinery
Copyright
Copyright © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ISSN
1551-6857
eISSN
1551-6865
DOI
10.1145/3524619
Publisher site
See Article on Publisher Site

Abstract

Modern image classification approaches often rely on deep neural networks, which have shown pronounced weakness to adversarial examples: images corrupted with specifically designed yet imperceptible noise that causes the network to misclassify. In this article, we propose a conceptually simple yet robust solution to tackle adversarial attacks on image classification. Our defense works by first applying a JPEG compression with a random quality factor; compression artifacts are subsequently removed by means of a generative model Artifact Restoration GAN. The process can be iterated ensuring the image is not degraded and hence the classification not compromised. We train different AR-GANs for different compression factors, so that we can change its parameters dynamically at each iteration depending on the current compression, making the gradient approximation difficult. We experiment with our defense against three white-box and two black-box attacks, with a particular focus on the state-of-the-art BPDA attack. Our method does not require any adversarial training, and is independent of both the classifier and the attack. Experiments demonstrate that dynamically changing the AR-GAN parameters is of fundamental importance to obtain significant robustness.

Journal

ACM Transactions on Multimedia Computing Communications and Applications (TOMCCAP)Association for Computing Machinery

Published: Jan 23, 2023

Keywords: Adversarial attacks

References

  • Ntire 2017 challenge on single image super-resolution: Dataset and study
    [,
  • Threat of adversarial attacks on deep learning in computer vision: A survey
    [,
  • Square attack: A query-efficient black-box adversarial attack via random search
    [,
  • Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples
    [,
  • Synthesizing robust adversarial examples
    [,
  • Decision-based adversarial attacks: Reliable attacks against black-box machine learning models
    [,
  • On evaluating adversarial robustness
    [,
  • Towards evaluating the robustness of neural networks
    [,
  • CAS-CNN: A deep convolutional neural network for image compression artifact suppression
    [,
  • Query-efficient hard-label black-box attack: An optimization-based approach
    [,
  • Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression
    [,
  • Shield: Fast, practical defense and vaccination for deep learning using jpeg compression
    [,
  • Stochastic activation pruning for robust adversarial defense
    [,
  • Compression artifacts reduction by a deep convolutional network
    [,
  • Benchmarking adversarial robustness on image classification
    [,
  • Boosting adversarial attacks with momentum
    [,
  • Evading defenses to transferable adversarial examples by translation-invariant attacks
    [,
  • Efficient decision-based black-box adversarial attacks on face recognition
    [,
  • A study of the effect of jpg compression on adversarial images
    [,
  • Deep generative adversarial compression artifact removal
    [,
  • Deep universal generative adversarial compression artifact removal
    [,
  • Explaining and harnessing adversarial examples
    [,
  • Countering Adversarial Images Using Input Transformations
    [,
  • Deep residual learning for image recognition
    [,
  • Mobilenets: Efficient convolutional neural networks for mobile vision applications
    [,
  • Densenet: Implementing efficient convnet descriptor pyramids
    [,
  • Black-box adversarial attacks with limited queries and information
    [,
  • Comdefend: An efficient image compression model to defend adversarial examples
    [,
  • Adam: A method for stochastic optimization
    [,
  • Adversarial examples in the physical world
    [,
  • DeepRobust: A PyTorch library for adversarial attacks and defenses
    [,
  • Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks
    [,
  • Defense against adversarial attacks using high-level representation guided denoiser
    [,
  • Towards robust neural networks via random self-ensemble
    [,
  • Feature distillation: Dnn-oriented jpeg compression against adversarial examples
    [,
  • Towards deep learning models resistant to adversarial attacks
    [,
  • Towards deep learning models resistant to adversarial attacks
    [,
  • Deepfool: A simple and accurate method to fool deep neural networks
    [,
  • Image super-resolution as a defense against adversarial attacks
    [,
  • Improving adversarial robustness via promoting ensemble diversity
    [,
  • Deflecting adversarial attacks with pixel deflection
    [,
  • Imagenet large scale visual recognition challenge
    [,
  • Defense-gan: Protecting classifiers against adversarial attacks using generative models
    [,
  • Compression artifacts removal using convolutional neural networks
    [,
  • Intriguing properties of neural networks
    [,
  • Ensemble adversarial training: Attacks and defenses
    [,
  • Adversarial risk and the dangers of evaluating against weak attacks
    [,
  • One man’s trash is another man’s treasure: Resisting adversarial examples by adversarial examples
    [,
  • Mitigating adversarial effects through randomization
    [,
  • Improving transferability of adversarial examples with input diversity
    [,
  • Feature squeezing: Detecting adversarial examples in deep neural networks
    [,