4,341 research outputs found
Image Super-Resolution as a Defense Against Adversarial Attacks
Convolutional Neural Networks have achieved significant success across
multiple computer vision tasks. However, they are vulnerable to carefully
crafted, human-imperceptible adversarial noise patterns which constrain their
deployment in critical security-sensitive systems. This paper proposes a
computationally efficient image enhancement approach that provides a strong
defense mechanism to effectively mitigate the effect of such adversarial
perturbations. We show that deep image restoration networks learn mapping
functions that can bring off-the-manifold adversarial samples onto the natural
image manifold, thus restoring classification towards correct classes. A
distinguishing feature of our approach is that, in addition to providing
robustness against attacks, it simultaneously enhances image quality and
retains models performance on clean images. Furthermore, the proposed method
does not modify the classifier or requires a separate mechanism to detect
adversarial images. The effectiveness of the scheme has been demonstrated
through extensive experiments, where it has proven a strong defense in gray-box
settings. The proposed scheme is simple and has the following advantages: (1)
it does not require any model training or parameter optimization, (2) it
complements other existing defense mechanisms, (3) it is agnostic to the
attacked model and attack type and (4) it provides superior performance across
all popular attack algorithms. Our codes are publicly available at
https://github.com/aamir-mustafa/super-resolution-adversarial-defense.Comment: Published in IEEE Transactions in Image Processin
Defense against Adversarial Attacks Using High-Level Representation Guided Denoiser
Neural networks are vulnerable to adversarial examples, which poses a threat
to their application in security sensitive systems. We propose high-level
representation guided denoiser (HGD) as a defense for image classification.
Standard denoiser suffers from the error amplification effect, in which small
residual adversarial noise is progressively amplified and leads to wrong
classifications. HGD overcomes this problem by using a loss function defined as
the difference between the target model's outputs activated by the clean image
and denoised image. Compared with ensemble adversarial training which is the
state-of-the-art defending method on large images, HGD has three advantages.
First, with HGD as a defense, the target model is more robust to either
white-box or black-box adversarial attacks. Second, HGD can be trained on a
small subset of the images and generalizes well to other images and unseen
classes. Third, HGD can be transferred to defend models other than the one
guiding it. In NIPS competition on defense against adversarial attacks, our HGD
solution won the first place and outperformed other models by a large margin
Generative Adversarial Perturbations
In this paper, we propose novel generative models for creating adversarial
examples, slightly perturbed images resembling natural images but maliciously
crafted to fool pre-trained models. We present trainable deep neural networks
for transforming images to adversarial perturbations. Our proposed models can
produce image-agnostic and image-dependent perturbations for both targeted and
non-targeted attacks. We also demonstrate that similar architectures can
achieve impressive results in fooling classification and semantic segmentation
models, obviating the need for hand-crafting attack methods for each task.
Using extensive experiments on challenging high-resolution datasets such as
ImageNet and Cityscapes, we show that our perturbations achieve high fooling
rates with small perturbation norms. Moreover, our attacks are considerably
faster than current iterative methods at inference time.Comment: CVPR 2018, camera-ready versio
- …