research-article

Improving robustness with image filtering

Authors:

Mattia Carletti,

Gian Antonio SustoAuthors Info & Claims

Volume 596, Issue C

https://doi.org/10.1016/j.neucom.2024.127927

Published: 25 September 2024 Publication History

Abstract

Adversarial robustness is one of the most challenging problems in Deep Learning and Computer Vision research. State-of-the-art techniques to enforce robustness are based on Adversarial Training, a computationally costly optimization procedure. For this reason, many alternative solutions have been proposed, but none proved effective under stronger or adaptive attacks. This paper presents Image-Graph Extractor (IGE), a new image filtering scheme that extracts the fundamental nodes of an image and their connections through a graph structure. By utilizing the IGE representation, we have developed a new defense technique, Filtering as a Defense, which prevents attackers from creating malicious patterns that can deceive image classifiers. Moreover, we show that data augmentation with filtered images effectively improves the model’s robustness to data corruptions. We validate our techniques on Convolutional Neural Networks on CIFAR-10, CIFAR-100, and ImageNet.

References

[1]

Szegedy C., Zaremba W., Sutskever I., Bruna J., Erhan D., Goodfellow I., Fergus R., Intriguing properties of neural networks, 2013, arXiv:1312.6199.

[2]

Athalye A., Carlini N., Wagner D., Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples, 2018, arXiv:1802.00420.

[3]

Tramer F., Carlini N., Brendel W., Madry A., On adaptive attacks to adversarial example defenses, 2020, arXiv preprint arXiv:2002.08347.

[4]

Guo C., Rana M., Cisse M., Van Der Maaten L., Countering adversarial images using input transformations, 2017, arXiv preprint arXiv:1711.00117.

[5]

Madry A., Makelov A., Schmidt L., Tsipras D., Vladu A., Towards deep learning models resistant to adversarial attacks, 2017, arXiv:1706.06083.

[6]

Goodfellow I.J., Shlens J., Szegedy C., Explaining and harnessing adversarial examples, 2014, arXiv:1412.6572.

[7]

Kurakin A., Goodfellow I., Bengio S., Adversarial machine learning at scale, 2016, arXiv:1611.01236.

[8]

Kannan H., Kurakin A., Goodfellow I., Adversarial logit pairing, 2018, arXiv preprint arXiv:1803.06373.

[9]

Moosavi-Dezfooli S.-M., Fawzi A., Uesato J., Frossard P., Robustness via curvature regularization, and vice versa, 2018, URL https://arxiv.org/pdf/1811.09716.

[10]

Shaham U., Yamada Y., Negahban S., Understanding adversarial training: Increasing local stability of neural nets through robust optimization, 2015, arXiv preprint arXiv:1511.05432.

[11]

Carmon Y., Raghunathan A., Schmidt L., Liang P., Duchi J.C., Unlabeled data improves adversarial robustness, 2019, arXiv preprint arXiv:1905.13736.

[12]

Gowal S., Rebuffi S.-A., Wiles O., Stimberg F., Calian D.A., Mann T.A., Improving robustness using generated data, Adv. Neural Inf. Process. Syst. 34 (2021) 4218–4233.

[13]

Rebuffi S.-A., Gowal S., Calian D.A., Stimberg F., Wiles O., Mann T.A., Data augmentation can improve robustness, Adv. Neural Inf. Process. Syst. 34 (2021) 29935–29948.

[14]

Qin C., Martens J., Gowal S., Krishnan D., Dvijotham K., Fawzi A., De S., Stanforth R., Kohli P., Adversarial robustness through local linearization, 2019, arXiv preprint arXiv:1907.02610.

[15]

Cisse M., Bojanowski P., Grave E., Dauphin Y., Usunier N., Parseval networks: Improving robustness to adversarial examples, in: International Conference on Machine Learning, PMLR, 2017, pp. 854–863.

[16]

Papernot N., McDaniel P., Wu X., Jha S., Swami A., Distillation as a defense to adversarial perturbations against deep neural networks, in: 2016 IEEE Symposium on Security and Privacy, SP, IEEE, 2016, pp. 582–597.

[17]

Pang T., Xu K., Du C., Chen N., Zhu J., Improving adversarial robustness via promoting ensemble diversity, in: International Conference on Machine Learning, PMLR, 2019, pp. 4970–4979.

[18]

Bai Y., Zeng Y., Jiang Y., Xia S.-T., Ma X., Wang Y., Improving adversarial robustness via channel-wise activation suppressing, 2021, arXiv preprint arXiv:2103.08307.

[19]

C. Xie, Y. Wu, L.v.d. Maaten, A.L. Yuille, K. He, Feature denoising for improving adversarial robustness, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 501–509.

[20]

C. Shi, C. Holtz, G. Mishne, Online adversarial purification based on self-supervised learning, in: International Conference on Learning Representations, 2020.

[21]

Guo Y., Stutz D., Schiele B., Improving robustness by enhancing weak subnets, in: European Conference on Computer Vision, Springer, 2022, pp. 320–338.

[22]

Dziugaite G.K., Ghahramani Z., Roy D.M., A study of the effect of jpg compression on adversarial images, 2016, arXiv preprint arXiv:1608.00853.

[23]

Lu J., Sibai H., Fabry E., Forsyth D., No need to worry about adversarial examples in object detection in autonomous vehicles, 2017, arXiv preprint arXiv:1707.03501.

[24]

Tsipras D., Santurkar S., Engstrom L., Turner A., Madry A., Robustness may be at odds with accuracy, in: International Conference on Learning Representations, 2019, URL https://openreview.net/forum?id=SyxAb30cY7.

[25]

Ilyas A., Santurkar S., Tsipras D., Engstrom L., Tran B., Madry A., Adversarial examples are not bugs, they are features, in: Advances in Neural Information Processing Systems, 2019, pp. 125–136.

[26]

Sharma G., Wu W., Dalal E.N., The CIEDE2000 color-difference formula: Implementation notes, supplementary test data, and mathematical observations, Color Res. Appl. 30 (1) (2005) 21–30.

[27]

Stutz D., Hermans A., Leibe B., Superpixels: An evaluation of the state-of-the-art, Comput. Vis. Image Underst. 166 (2018) 1–27.

Digital Library

[28]

Krizhevsky A., Nair V., Hinton G., Cifar-10 and cifar-100 datasets, 2009, URL https://www.cs.toronto.edu/kriz/cifar.html 6.

[29]

Deng J., Dong W., Socher R., Li L.-J., Li K., Fei-Fei L., Imagenet: A large-scale hierarchical image database, in: Computer Vision and Pattern Recognition, 2009. CVPR 2009. IEEE Conference on, IEEE, 2009, pp. 248–255.

[30]

He K., Zhang X., Ren S., Sun J., Identity mappings in deep residual networks, 2016, arXiv:1603.05027.

[31]

Salman H., Ilyas A., Engstrom L., Kapoor A., Madry A., Do adversarially robust imagenet models transfer better?, Adv. Neural Inf. Process. Syst. 33 (2020) 3533–3545.

[32]

Achanta R., Shaji A., Smith K., Lucchi A., Fua P., Süsstrunk S., SLIC superpixels compared to state-of-the-art superpixel methods, IEEE Trans. Pattern Anal. Mach. Intell. 34 (11) (2012) 2274–2282.

Digital Library

[33]

Salman H., Ilyas A., Engstrom L., Vemprala S., Madry A., Kapoor A., Unadversarial examples: Designing objects for robust vision, 2020, arXiv preprint arXiv:2012.12235.

[34]

Dosovitskiy A., Beyer L., Kolesnikov A., Weissenborn D., Zhai X., Unterthiner T., Dehghani M., Minderer M., Heigold G., Gelly S., et al., An image is worth 16 × 16 words: Transformers for image recognition at scale, 2020, arXiv preprint arXiv:2010.11929.

[35]

Playne D.P., Hawick K., A new algorithm for parallel connected-component labelling on GPUs, IEEE Trans. Parallel Distrib. Syst. 29 (6) (2018) 1217–1230.

Index Terms

Improving robustness with image filtering
1. Computing methodologies
  1. Artificial intelligence
    1. Computer vision
  2. Computer graphics
    1. Image manipulation
      1. Image processing
2. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Improving adversarial robustness of deep neural networks via adaptive margin evolution
Highlights
- A poof of the existence of an optimal state for adversarial training.
- Adaptive ...
Abstract
Adversarial training is the most popular and general strategy to improve Deep Neural Network (DNN) robustness against adversarial noises. Many adversarial training methods have been proposed in the past few years. However, most of ...
ATGAN: Adversarial training-based GAN for improving adversarial robustness generalization on image classification
Abstract
Deep neural networks are vulnerable to adversarial examples, which are well-designed examples aiming to cause models to produce wrong outputs with high confidence. Although adversarial training is by so far the only effective adversarial defense ...
Layer-wise regularized adversarial training using layers sustainability analysis framework
Highlights
- The layer sustainability analysis (LSA) framework is introduced to evaluate the behavior of layer-level representations of DNNs in dealing with network input ...
Abstract
Deep neural network models are used today in various applications of artificial intelligence, the strengthening of which, in the face of adversarial attacks is of particular importance. An appropriate solution to adversarial attacks is ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Neurocomputing

Neurocomputing Volume 596, Issue C

Sep 2024

611 pages

Issue’s Table of Contents

Elsevier B.V.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 25 September 2024

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents