Low-cost adversarial example defense algorithm based on example preprocessing

doi:10.11772/j.issn.1001-9081.2023091249

Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (9): 2756-2762.DOI: 10.11772/j.issn.1001-9081.2023091249

• Cyber security • Previous Articles Next Articles

Low-cost adversarial example defense algorithm based on example preprocessing

Xiao CHEN¹^,², Yan CHANG¹^,²(), Danchen WANG³, Shibin ZHANG¹^,²

^1.School of Cybersecurity，Chengdu University of Information Technology，Chengdu Sichuan 610225，China
^2.Advanced Cryptography System Security Key Laboratory of Sichuan Province （Chengdu University of Information Technology），Chengdu Sichuan 610225，China
^3.Sichuan Digital Economy Research Center，Chengdu Sichuan 610021，China

Received:2023-10-23 Revised:2023-11-13 Accepted:2023-11-16 Online:2024-01-10 Published:2024-09-10
Contact: Yan CHANG
About author:CHEN Xiao， born in 1999， M. S. candidate. His research interests include adversarial examples.
WANG Danchen， born in 1983， Ph. D. Her research interests include data security， new infrastructure， digital economy.
ZHANG Shibin， born in 1971， Ph. D.， professor. His research interests include quantum computing， information security.
Supported by:
National Natural Science Foundation of China(62272068);Chengdu Key Research and Development Support Plan(2021-YF09-00114-GX)

基于样本预处理的低成本对抗样本防御算法

陈虓¹^,², 昌燕¹^,²(), 王丹琛³, 张仕斌¹^,²

^1.成都信息工程大学网络空间安全学院, 成都 610225
^2.先进密码技术与系统安全四川省重点实验室(成都信息工程大学), 成都 610225
^3.四川省数字经济研究中心, 成都 610021

通讯作者: 昌燕
作者简介:陈虓（1999—），男，四川成都人，硕士研究生，主要研究方向：对抗样本
昌燕（1979—），女，内蒙古阿拉善人，教授，博士，CCF会员，主要研究方向：量子计算、信息安全
王丹琛（1983—），女，甘肃兰州人，博士，主要研究方向：数据安全、新基建、数字经济
张仕斌（1971—），男，重庆人，教授，博士，CCF会员，主要研究方向：量子计算、信息安全。
基金资助:
国家自然科学基金资助项目(62272068);成都市重点研发支撑计划项目(2021-YF09-00114-GX)

Abstract

Abstract:

In order to defend against existing attacks on artificial intelligence algorithms （especially artificial neural networks） as much as possible， and reduce the additional costs， the rattan algorithm based on example preprocessing was proposed. By cutting the unimportant information part of the image， normalizing the neighboring pixel values and scaling image， the examples were preprocessed to destroy the adversarial disturbance and generate new examples with less threat to the model， ensuring high accuracy of model recognition. Experimental results show that the rattan algorithm can defend against some adversarial attacks against MNIST， CIFAR10 datasets and neural network models such as squeezenet1_1， mnasnet1_3 and mobilenet_v3_large with less overhead than similar algorithms， and the minimum example accuracy after defense can reach 88.50%； meanwhile， it does not reduce the example accuracy too much while processing clean examples， and the defense effect and defense cost are better than those of the comparison algorithms such as Fast Gradient Sign Method （FGSM） and Momentum Iterative Method （MIM）.

Key words: attack, defense, image scaling, image cutting, pixel value normalization

摘要：

为尽可能防御现有的各种针对人工智能算法（特别是人工神经网络）的攻击方法，同时降低由此带来的额外开销，提出基于样本预处理的藤牌算法。通过切割图像非重要信息部分、邻近像素值统一化和图像放缩3种方法对样本进行预处理，破坏对抗扰动，生成对模型威胁更小的新样本，以确保模型识别的高准确率。实验结果表明，藤牌算法可以在比同类算法开销更小的情况下，防御针对MNIST、CIFAR10数据集和squeezenet1_1、mnasnet1_3、mobilenet_v3_large神经网络模型的对抗攻击，防御后的样本准确率最低可达88.50%；同时在处理干净样本时也不会过多降低样本准确率，防御效果和防御成本都优于FGSM（Fast Gradient Sign Method）和MIM（Momentum Iterative Method）等对比算法。

关键词: 攻击, 防御, 图像放缩, 图像切割, 像素值统一化

CLC Number:

TP183

Xiao CHEN, Yan CHANG, Danchen WANG, Shibin ZHANG. Low-cost adversarial example defense algorithm based on example preprocessing[J]. Journal of Computer Applications, 2024, 44(9): 2756-2762.

陈虓, 昌燕, 王丹琛, 张仕斌. 基于样本预处理的低成本对抗样本防御算法[J]. 《计算机应用》唯一官方网站, 2024, 44(9): 2756-2762.

Figures/Tables 5

References 24

1	SZEGEDY C， ZAREMBA W， SUTSKEVER I， et al. Intriguing properties of neural networks ［EB/OL］. （2014-02-19）［2023-07-08］. .
2	PAPERNOT N， McDANIEL P， WU X， et al. Distillation as a defense to adversarial perturbations against deep neural networks［C］// Proceedings of the 2016 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2016： 582-597.
3	LIAO F， LIANG M， DONG Y， et al. Defense against adversarial attacks using high-level representation guided denoiser ［EB/OL］. （2018-05-08）［2023-06-02］. .
4	XIE C， WU Y， MAATEN L V D， et al. Feature denoising for improving adversarial robustness ［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2019：501-509.
5	TRAMÈR F， KURAKIN A， PAPERNOT N， et al. Ensemble adversarial training： attacks and defenses ［EB/OL］. （2020-04-26）［2023-08-22］. .
6	FU Y， YU Q， LI M， et al. Double-Win-Quant： aggressively winning robustness of quantized deep neural networks via random precision training and inference ［C］// Proceedings of the 38th International Conference on Machine Learning. New York： PMLR，2021：3492-3504.
7	CROCE F， HEIN M. Provable robustness against all adversarial l_p -perturbations for p≥1 ［EB/OL］. ［2023-08-11］. .
8	XU W， EVANS D， QI Y. Feature squeezing： detecting adversarial examples in deep neural networks ［EB/OL］. ［2023-05-22］. .
9	KIRITANI T， ONO K. Recurrent attention model with log-polar mapping is robust against adversarial attacks ［EB/OL］. （2020-02-13）［2021-12-26］. .
10	SONG Y， KIM T， NOWOZIN S， et al. PixelDefend： leveraging generative models to understand and defend against adversarial examples ［EB/OL］. （2018-05-21）［2023-07-30］. .
11	YAN H， ZHANG J， NIU G， et al. CIFS： improving adversarial robustness of CNNs via channel-wise importance-based feature selection ［C］// Proceedings of the 38th International Conference on Machine Learning. New York： PMLR， 2021：11693-11703.
12	王丹妮，陈伟，羊洋，等. 基于高斯增强和迭代攻击的对抗训练防御方法［J］. 计算机科学，2021，48（6A）：509-513.
	WANG D N， CHEN W， YANG Y， et al. Defense method of adversarial training based on Gaussian enhancement and iterative attack ［J］. Computer Science，2021，48（6A）：509-513.
13	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples ［EB/OL］. （2015-03-20）［2023-06-25］. .
14	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks ［EB/OL］. （2019-09-04）［2023-06-27］. .
15	MOOSAVI-DEZFOOLI S M， FAWZI A， FROSSARD P. DeepFool： a simple and accurate method to fool deep neural networks ［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016：2574-2582.
16	DONG Y， LIAO F， PANG T， et al. Boosting adversarial attacks with momentum ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 9185-9193.
17	WANG Y， ZOU D， YI J， et al. Improving adversarial robustness requires revisiting misclassified examples ［EB/OL］. （2021-08-17）［2023-09-23］. .
18	SONG C， HE K， LIN J， et al. Robust local features for improving the generalization of adversarial training ［EB/OL］. （2020-02-02）［2023-08-09］. .
19	DAS N， SHANBHOGUE M， CHEN S T， et al. Keeping the bad guys out： protecting and vaccinating deep learning with JPEG compression ［EB/OL］. （2017-05-08）［2023-08-11］. .
20	PRAKASH A， MORAN N， GARBER S， et al. Deflecting adversarial attacks with pixel deflection ［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018：8571-8580.
21	SAMANGOUEI P， KABKAB M， CHELLAPPA R. Defense-GAN： protecting classifiers against adversarial attacks using generative models ［EB/OL］. （2018-05-18）［2023-08-22］. .
22	MENG D， CHEN H. MagNet： a two-pronged defense against adversarial examples ［EB/OL］. （2017-09-11）［2023-08-26］. .
23	王飞宇，张帆，杜加玉，等.基于图像降噪与压缩的对抗样本检测方法［J］.计算机工程， 2023，49（10）：230-238.
	WANG F Y， ZHANG F， DU J Y， et al. Adversarial examples detection method based on image denoising and compression ［J］. Computer Engineering， 2023，49（10）：230-238.
24	李沙沙，邢红杰.基于对抗样本和自编码器的鲁棒异常检测［J］.计算机科学，2024，51（5）：363-373.
	LI S S， XING H J. Robust anomaly detection based on antagonistic sample and autoencoder ［J］. Computer Science， 2024， 51（5）： 363-373.

数据集	模型	被攻击的样本准确率				经过藤牌算法修改过的样本准确率
数据集	模型	FGSM	PGD	DeepFool	MIM	FGSM	PGD	DeepFool	MIM	Clean
CIFAR10	mobilenet_v3_large	11.32	0.00	33.28	0.00	89.27	94.34	94.77	84.24	99.32
	mnasnet1_3	13.86	0.00	21.47	0.00	88.12	94.67	95.40	84.33	98.59
	squeezenet1_1	12.33	10.45	35.94	10.44	93.19	93.79	94.44	90.16	97.14
MNIST	mobilenet_v3_large	3.52	0.00	9.38	0.00	94.27	88.52	84.24	81.66	91.91
	mnasnet1_3	11.47	6.95	—	—	88.90	84.93	—	—	88.50
	squeezenet1_1	11.56	0.00	12.80	0.03	94.37	92.01	93.12	95.50	91.83

数据集	模型	被攻击的样本准确率				经过藤牌算法修改过的样本准确率
数据集	模型	FGSM	PGD	DeepFool	MIM	FGSM	PGD	DeepFool	MIM	Clean
CIFAR10	mobilenet_v3_large	11.32	0.00	33.28	0.00	89.27	94.34	94.77	84.24	99.32
	mnasnet1_3	13.86	0.00	21.47	0.00	88.12	94.67	95.40	84.33	98.59
	squeezenet1_1	12.33	10.45	35.94	10.44	93.19	93.79	94.44	90.16	97.14
MNIST	mobilenet_v3_large	3.52	0.00	9.38	0.00	94.27	88.52	84.24	81.66	91.91
	mnasnet1_3	11.47	6.95	—	—	88.90	84.93	—	—	88.50
	squeezenet1_1	11.56	0.00	12.80	0.03	94.37	92.01	93.12	95.50	91.83

防御算法	数据集	攻击算法	样本准确率		是否需要额外开销
防御算法	数据集	攻击算法	防御前的攻击样本	防御后的攻击样本	是否需要额外开销
文献［2］算法	MNIST	—	4.11	99.55	是，需要额外训练一个蒸馏模型
文献［2］算法	CIFAR10	—	12.11	94.89	是，需要额外训练一个蒸馏模型
文献［5］算法	MNIST	FGSM	29.60	88.20~94.00	是，需要使用额外的对抗数据对当前被防御模型进行额外训练
文献［7］算法	MNIST	—	—	81.68~90.34	是，需要对被防御模型的具体结构进行修改，然后重新训练
文献［7］算法	CIFAR10	—	—	68.25~66.74	是，需要对被防御模型的具体结构进行修改，然后重新训练
文献［10］算法	CIFAR10	FGSM	35.86	79.34	是，需要设计并训练一个重构网络
文献［10］算法	CIFAR10	DeepFool	6.52	86.95	是，需要设计并训练一个重构网络
文献［11］算法	CIFAR10	FGSM	65.17	69.60	是，需要改变模型结构，然后重新对被防御模型进行对抗训练
文献［11］算法	CIFAR10	PGD	52.88~55.13	57.59~60.58	是，需要改变模型结构，然后重新对被防御模型进行对抗训练
文献［12］算法	CIFAR10	FGSM	18.84~37.37	72.28~83.34	是，需要对模型进行额外的对抗训练
文献［12］算法	CIFAR10	DeepFool	1.28	49.79	是，需要对模型进行额外的对抗训练
藤牌算法	MNIST	—	0.00	92.01	额外开销极低，趋近于无
	MNIST	FGSM	3.52	94.27
	CIFAR10	—	0.00	94.67
		FGSM	12.33	93.19
		DeepFool	21.47	95.40

防御算法	数据集	攻击算法	样本准确率		是否需要额外开销
防御算法	数据集	攻击算法	防御前的攻击样本	防御后的攻击样本	是否需要额外开销
文献［2］算法	MNIST	—	4.11	99.55	是，需要额外训练一个蒸馏模型
文献［2］算法	CIFAR10	—	12.11	94.89	是，需要额外训练一个蒸馏模型
文献［5］算法	MNIST	FGSM	29.60	88.20~94.00	是，需要使用额外的对抗数据对当前被防御模型进行额外训练
文献［7］算法	MNIST	—	—	81.68~90.34	是，需要对被防御模型的具体结构进行修改，然后重新训练
文献［7］算法	CIFAR10	—	—	68.25~66.74	是，需要对被防御模型的具体结构进行修改，然后重新训练
文献［10］算法	CIFAR10	FGSM	35.86	79.34	是，需要设计并训练一个重构网络
文献［10］算法	CIFAR10	DeepFool	6.52	86.95	是，需要设计并训练一个重构网络
文献［11］算法	CIFAR10	FGSM	65.17	69.60	是，需要改变模型结构，然后重新对被防御模型进行对抗训练
文献［11］算法	CIFAR10	PGD	52.88~55.13	57.59~60.58	是，需要改变模型结构，然后重新对被防御模型进行对抗训练
文献［12］算法	CIFAR10	FGSM	18.84~37.37	72.28~83.34	是，需要对模型进行额外的对抗训练
文献［12］算法	CIFAR10	DeepFool	1.28	49.79	是，需要对模型进行额外的对抗训练
藤牌算法	MNIST	—	0.00	92.01	额外开销极低，趋近于无
	MNIST	FGSM	3.52	94.27
	CIFAR10	—	0.00	94.67
		FGSM	12.33	93.19
		DeepFool	21.47	95.40

[1]	Jiepo FANG, Chongben TAO. Hybrid internet of vehicles intrusion detection system for zero-day attacks [J]. Journal of Computer Applications, 2024, 44(9): 2763-2769.
[2]	Ying YANG, Xiaoyan HAO, Dan YU, Yao MA, Yongle CHEN. Graph data generation approach for graph neural network model extraction attacks [J]. Journal of Computer Applications, 2024, 44(8): 2483-2492.
[3]	Zhongdai WU, Dezhi HAN, Haibao JIANG, Cheng FENG, Bing HAN, Chongqing CHEN. Review of marine ship communication cybersecurity [J]. Journal of Computer Applications, 2024, 44(7): 2123-2136.
[4]	Zhi ZHANG, Xin LI, Naifu YE, Kaixi HU. DKP： defending against model stealing attacks based on dark knowledge protection [J]. Journal of Computer Applications, 2024, 44(7): 2080-2086.
[5]	Zihao YAO, Yuanming LI, Ziqiang MA, Yang LI, Lianggen WEI. Multi-object cache side-channel attack detection model based on machine learning [J]. Journal of Computer Applications, 2024, 44(6): 1862-1871.
[6]	Wei LUO, Jinquan LIU, Zheng ZHANG. Dual vertical federated learning framework incorporating secret sharing technology [J]. Journal of Computer Applications, 2024, 44(6): 1872-1879.
[7]	Jinfu WU, Yi LIU. Fast adversarial training method based on random noise and adaptive step size [J]. Journal of Computer Applications, 2024, 44(6): 1807-1815.
[8]	Xuebin CHEN, Zhiqiang REN, Hongyang ZHANG. Review on security threats and defense measures in federated learning [J]. Journal of Computer Applications, 2024, 44(6): 1663-1672.
[9]	Haoran WANG, Dan YU, Yuli YANG, Yao MA, Yongle CHEN. Domain transfer intrusion detection method for unknown attacks on industrial control systems [J]. Journal of Computer Applications, 2024, 44(4): 1158-1165.
[10]	Honglei YAO, Jiqiang LIU, Endong TONG, Wenjia NIU. Network security risk assessment method for CTCS based on α-cut triangular fuzzy number and attack tree [J]. Journal of Computer Applications, 2024, 44(4): 1018-1026.
[11]	Haihan WANG, Yan ZHU. Offensive speech detection with irony mechanism [J]. Journal of Computer Applications, 2024, 44(4): 1065-1071.
[12]	Jie WANG, Hua MENG. Image classification algorithm based on overall topological structure of point cloud [J]. Journal of Computer Applications, 2024, 44(4): 1107-1113.
[13]	Keshuo SUN, Haiying GAO, Yang SONG. Multi-authority attribute-based encryption scheme for private blockchain over public blockchain [J]. Journal of Computer Applications, 2024, 44(12): 3699-3708.
[14]	Yifei SONG, Yi LIU. Fast adversarial training method based on data augmentation and label noise [J]. Journal of Computer Applications, 2024, 44(12): 3798-3807.
[15]	Xuebin CHEN, Changsheng QU. Overview of backdoor attacks and defense in federated learning [J]. Journal of Computer Applications, 2024, 44(11): 3459-3469.

Low-cost adversarial example defense algorithm based on example preprocessing

基于样本预处理的低成本对抗样本防御算法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 24

Related Articles 15

Recommended Articles

Metrics