Attack-less adversarial training for a robust adversarial defense | Applied Intelligence
Skip to main content
Springer Nature Link
Log in

Attack-less adversarial training for a robust adversarial defense

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Adversarial examples have proved efficacious in fooling deep neural networks recently. Many researchers have studied this issue of adversarial examples by evaluating neural networks against their attack techniques and increasing the robustness of neural networks with their defense techniques. To the best of our knowledge, adversarial training is one of the most effective defense techniques against the adversarial examples. However, the method is not able to cope with new attacks because it requires attack techniques in the training phase. In this paper, we propose a novel defense technique, Attack-Less Adversarial Training (ALAT) method, which is independent from any attack techniques, thereby is useful in preventing future attacks. Specifically, ALAT regenerates every pixel of an image into different pixel value, which commonly eliminates the majority of the adversarial noises in the adversarial example. This pixel regeneration is useful in defense because the adversarial noises are the core problem that make the neural networks produce high misclassification rate. Our experiment results with several benchmark datasets show that our method not only relieves over-fitting issue during the training of neural networks with a large number of epochs, but also boosts the robustness of the neural network.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Notes

  1. We modify and extend the scripts from CleverHans. Our scripts are available at https://github.com/canboy123/alat.

References

  1. Adeli H, Wu M (1998) Regularization neural network for construction cost estimation. J Constr Eng Manag 124(1):18–24

    Article  Google Scholar 

  2. Agarwal A, Vatsa M, Singh R, Ratha N (2021) Cognitive data augmentation for adversarial defense via pixel masking. Patt Recogn Lett

  3. Athalye A, Carlini N, Wagner D (2018) Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: Dy J, Krause A (eds) Proceedings of the 35th international conference on machine learning, proceedings of machine learning research. http://proceedings.mlr.press/v80/athalye18a.html, vol 80. PMLR, Stockholmsmässan, Stockholm Sweden, pp 274–283

  4. Athalye A, Engstrom L, Ilyas A, Kwok K (2018) Synthesizing robust adversarial examples. In: Dy J, Krause A (eds) Proceedings of the 35th international conference on machine learning, proceedings of machine learning research, vol 80. PMLR, Stockholmsmässan, Stockholm Sweden, pp 284–293

  5. Biggio B, Roli F (2018) Wild patterns: Ten years after the rise of adversarial machine learning. Patt Recogn 84:317–331

    Article  Google Scholar 

  6. Brown TB, Mané D, Roy A, Abadi M, Gilmer J (2017) Adversarial patch. arXiv:1712.09665

  7. Carlini N, Wagner D (2017) Adversarial examples are not easily detected: Bypassing ten detection methods. In: Proceedings of the 10th ACM workshop on artificial intelligence and security. ACM, pp 3–14

  8. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: Proceedings of the IEEE symposium on security and privacy (SP). IEEE, pp 39–57

  9. Dhillon GS, Azizzadenesheli K, Bernstein JD, Kossaifi J, Khanna A, Lipton ZC, Anandkumar A (2018) Stochastic activation pruning for robust adversarial defense. In: International conference on learning representations. https://openreview.net/forum?id=H1uR4GZRZ

  10. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 9185–9193

  11. Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, Prakash A, Kohno T, Song D (2018) Robust physical-world attacks on deep learning visual classification. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 1625–1634

  12. Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. arXiv:1412.6572

  13. Guo C, Rana M, Cisse M, van der Maaten L (2018) Countering adversarial images using input transformations. In: Proceedings of the international conference on learning representations. https://openreview.net/forum?id=SyJ7ClWCb

  14. Ho J, Lee BG, Kang DK (2020) Uni-image: universal image construction for robust neural model. Neural Netw

  15. Jafarnia-Jahromi M, Chowdhury T, Wu HT, Mukherjee S (2019) PPD: Permutation phase defense against adversarial examples in deep learning. https://openreview.net/forum?id=HkElFj0qYQ

  16. Krantz J (2012) Experiencing sensation and perception. Upper Saddle River, NJ

    Google Scholar 

  17. Krizhevsky A, Nair V, Hinton G (2010) Cifar-10 (canadian institute for advanced research). http://www.cs.toronto.edu/kriz/cifar.html

  18. Krizhevsky A, Sutskever I, Hinton GE (2012) Imagenet classification with deep convolutional neural networks. In: Proceedings of the advances in neural information processing systems, pp 1097–1105

  19. Krogh A, Hertz JA (1992) A simple weight decay can improve generalization. In: Proceedings of the advances in neural information processing systems, pp 950–957

  20. Kurakin A, Goodfellow I, Bengio S (2016) Adversarial examples in the physical world. arXiv:1607.02533

  21. Kurakin A, Goodfellow I, Bengio S (2017) Adversarial machine learning at scale. In: Proceedings of the international conference on learning representations. https://openreview.net/forum?id=BJm4T4Kgx

  22. Land EH (1959) Experiments in color vision. Sci Am 200(5):84–99

    Article  Google Scholar 

  23. LeCun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324

    Article  Google Scholar 

  24. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2018) Towards deep learning models resistant to adversarial attacks. In: Proceedings of the international conference on learning representations. https://openreview.net/forum?id=rJzIBfZAb

  25. McLaughlin N, Del Rincon JM, Miller P (2015) Data-augmentation for reducing dataset bias in person re-identification. In: 2015 12th IEEE international conference on advanced video and signal based surveillance (AVSS). IEEE, pp 1–6

  26. Nowlan SJ, Hinton GE (1992) Simplifying neural networks by soft weight-sharing. Neural Comput 4(4):473–493

    Article  Google Scholar 

  27. Papernot N, McDaniel P, Goodfellow I (2016) Transferability in machine learning:, from phenomena to black-box attacks using adversarial samples. arXiv:1605.07277

  28. Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Swami A. (2017) Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. ACM, pp 506–519

  29. Ren H, Huang T, Yan H (2021) Adversarial examples: attacks and defenses in the physical world. Int J Mach Learn Cybern 1–12

  30. Rony J, Hafemann LG, Oliveira LS, Ayed IB, Sabourin R, Granger E (2018) Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses. arXiv:1811.09600

  31. Shi Y, Han Y, Zhang Q, Kuang X (2020) Adaptive iterative attack towards explainable adversarial robustness. Patt Recogn 107309

  32. Srivastava N, Hinton G, Krizhevsky A, Sutskever I, Salakhutdinov R (2014) Dropout: a simple way to prevent neural networks from overfitting. J Mach Learn Res 15(1):1929–1958

    MathSciNet  MATH  Google Scholar 

  33. Sutanto RE, Lee S (2021) Real-time adversarial attack detection with deep image prior initialized as a high-level representation based blurring network. Electronics 10(1):52

    Article  Google Scholar 

  34. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv:1312.6199

  35. Theagarajan R, Bhanu B (2020) Defending black box facial recognition classifiers against adversarial attacks. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition workshops, pp 812–813

  36. Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2018) Ensemble adversarial training: Attacks and defenses. In: International conference on learning representations. https://openreview.net/forum?id=rkZvSe-RZ

  37. Wang J, Perez L (2017) The effectiveness of data augmentation in image classification using deep learning. Convolut Neural Netw Vis Recognit

  38. Wong E, Rice L, Kolter JZ (2010) Fast is better than free: Revisiting adversarial training. In: International conference on learning representations. https://openreview.net/forum?id=BJx040EFvH

  39. Xiao H, Rasul K, Vollgraf R (2017) Fashion-mnist:, a novel image dataset for benchmarking machine learning algorithms. arXiv:1708.07747

  40. Yang P, Chen J, Hsieh CJ, Wang JL, Jordan MI (2020) Greedy attack and gumbel attack: Generating adversarial examples for discrete data. J Mach Learn Res 21(43):1–36

    MathSciNet  MATH  Google Scholar 

  41. Yuan X, He P, Zhu Q, Bhat RR, Li X (2017) Adversarial examples: Attacks and defenses for deep learning. arXiv:1712.07107

  42. Zhang X, Wang J, Wang T, Jiang R, Xu J, Zhao L (2021) Robust feature learning for adversarial defense via hierarchical feature alignment. Inf Sci 560:256–270

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

This work was supported by Institute for Information and Communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2018-0-00245, Development of prevention technology against AI dysfunction induced by deception attack).

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Dongseo University, 47 Jurye-Ro, Sasang-Gu, Busan, 47011, South Korea

    Jiacang Ho, Byung-Gook Lee & Dae-Ki Kang

Authors
  1. Jiacang Ho
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Byung-Gook Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dae-Ki Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dae-Ki Kang.

Ethics declarations

Conflict of Interests

The authors declare that they have no conflict of interest.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ho, J., Lee, BG. & Kang, DK. Attack-less adversarial training for a robust adversarial defense. Appl Intell 52, 4364–4381 (2022). https://doi.org/10.1007/s10489-021-02523-y

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-021-02523-y

Keywords

Search

Navigation