AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
Powered by AMiner. Clicking this button will take you away from SciOpen.
Home Journal of Computer Science and Technology Article
Article Link
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Regular Paper

Combining Innovative CVTNet and Regularization Loss for Robust Adversarial Defense

Laboratory of Public Big Data, School of Computer Science and Technology, Guizhou University, Guiyang 550025, China
Show Author Information

Abstract

Deep neural networks (DNNs) are vulnerable to elaborately crafted and imperceptible adversarial perturbations. With the continuous development of adversarial attack methods, existing defense algorithms can no longer defend against them proficiently. Meanwhile, numerous studies have shown that vision transformer (ViT) has stronger robustness and generalization performance than the convolutional neural network (CNN) in various domains. Moreover, because the standard denoiser is subject to the error amplification effect, the prediction network cannot correctly classify all reconstruction examples. Firstly, this paper proposes a defense network (CVTNet) that combines CNNs and ViTs that is appended in front of the prediction network. CVTNet can effectively eliminate adversarial perturbations and maintain high robustness. Furthermore, this paper proposes a regularization loss ( LCPL), which optimizes the CVTNet by computing different losses for the correct prediction set (CPS) and the wrong prediction set (WPS) of the reconstruction examples, respectively. The evaluation results on several standard benchmark datasets show that CVTNet performs better robustness than other advanced methods. Compared with state-of-the-art algorithms, the proposed CVTNet defense improves the average accuracy of pixel-constrained attack examples generated on the CIFAR-10 dataset by 24.25% and spatially-constrained attack examples by 14.06%. Moreover, CVTNet shows excellent generalizability in cross-model protection.

Keywords

deep learningadversarial defensevision transformerimage reconstruction

Electronic Supplementary Material

Download File(s)
JCST-2306-13515-Highlights.pdf (618.1 KB)

References

[1]
He K, Zhang X, Ren S, Sun J. Deep residual learning for image recognition. In Proc. the 2016 IEEE Conference on Computer Vision and Pattern Recognition, Jun. 2016, pp.770–778. DOI: 10.1109/cvpr.2016.90.
Crossref
[2]

Wu Y, Yang F, Xu Y, Ling H. Privacy-protective-GAN for privacy preserving face de-identification. Journal of Computer Science and Technology, 2019, 34(1): 47–60. DOI: 10.1007/s11390-019-1898-8.
Crossref Google Scholar
[3]

Chen J, Yang X, Yin H, Ma M, Chen B, Peng J, Guo Y, Yin Z, Su H. AdvFAS: A robust face anti-spoofing framework against adversarial examples. Computer Vision and Image Understanding, 2023, 235: 103779. DOI: 10.1016/j.cviu.2023.103779.
Crossref Google Scholar
[4]

Zou B W, Huang R T, Xu Z Z, Hong Y, Zhou G D. Language adaptation for entity relation classification via adversarial neural networks. Journal of Computer Science and Technology, 2021, 36(1): 207–220. DOI: 10.1007/s11390-020-9713-0.
Crossref Google Scholar
[5]
Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, Prakash A, Kohno T, Song D. Robust physical-world attacks on deep learning visual classification. In Proc. the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jun. 2018, pp.1625–1634. DOI: 10.1109/cvpr.2018.00175.
Crossref
[6]
Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In Proc. the 3rd International Conference on Learning Representations, May 2015.
[7]

Ma X, Niu Y, Gu L, Wang Y, Zhao Y, Bailey J, Lu F. Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recognition, 2021, 110: 107332. DOI: 10.1016/j.patcog.2020.107332.
Crossref Google Scholar
[8]
Athalye A, Engstrom L, Ilyas A, Kwok K. Synthesizing robust adversarial examples. In Proc. the 35th International Conference on Machine Learning, Jul. 2018, pp.284–293.
[9]

Jia W, Lu Z, Yu R, Li L, Zhang H, Liu Z, Qu G. Fooling decision-based black-box automotive vision perception systems in physical world. IEEE Trans. Intelligent Transportation Systems, 2024, 25(7): 7081–7092. DOI: 10.1109/TITS.2023.3347860.
Crossref Google Scholar
[10]
Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In Proc. the 6th International Conference on Learning Representations, Apr. 30–May 3, 2018.
[11]
Liao F, Liang M, Dong Y, Pang T, Hu X, Zhu J. Defense against adversarial attacks using high-level representation guided denoiser. In Proc. the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jun. 2018, pp.1778–1787. DOI: 10.1109/cvpr.2018.00191.
Crossref
[12]

Akhtar N, Mian A, Kardan N, Shah M. Advances in adversarial attacks and defenses in computer vision: A survey. IEEE Access, 2021, 9: 155161–155196. DOI: 10.1109/ACCESS.2021.3127960.
Crossref Google Scholar
[13]
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I J, Fergus R. Intriguing properties of neural networks. In Proc. the 2nd International Conference on Learning Representations, Apr. 2014, pp.14–16.
[14]
Li Z, Xu C. Discover the unknown biased attribute of an image classifier. In Proc. the 2021 IEEE/CVF International Conference on Computer Vision, Oct. 2021, pp.14950–14959. DOI: 10.1109/ICCV48922.2021.01470.
Crossref
[15]
Gupta P, Rahtu E. CIIDefence: Defeating adversarial attacks by fusing class-specific image inpainting and image denoising. In Proc. the 2019 IEEE/CVF International Conference on Computer Vision, Oct. 27–Nov. 2, 2019, pp.6707–6716. DOI: 10.1109/ICCV.2019.00681.
Crossref
[16]
Yao Y, Gong Y, Li Y, Zhang Y, Liu X, Lin X, Liu S. Reverse engineering of imperceptible adversarial image perturbations. In Proc. the 10th International Conference on Learning Representations, Apr. 2022.
[17]
Zhou D, Liu T, Han B, Wang N, Peng C, Gao X. Towards defending against adversarial examples via attack-invariant features. In Proc. the 38th International Conference on Machine Learning, Jul. 2021, pp.12835–12845.
[18]
Zhou D, Wang N, Peng C, Gao X, Wang X, Yu J, Liu T. Removing adversarial noise in class activation feature space. In Proc. the 2021 IEEE/CVF International Conference on Computer Vision, Oct. 2021, pp.7858–7867. DOI: 10.1109/ICCV48922.2021.00778.
Crossref
[19]
Selvaraju R R, Cogswell M, Das A, Vedantam R, Parikh D, Batra D. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In Proc. the 2017 IEEE International Conference on Computer Vision, Oct. 2017, pp.618–626. DOI: 10.1109/ICCV.2017.74.
Crossref
[20]
Shao R, Shi Z, Yi J, Chen P Y, Hsieh C J. On the adversarial robustness of vision transformers. arXiv: 2013.15670, 2021. https://arxiv.org/abs/2103.15670, Sept. 2024.
[21]
EI-Nouby A, Touvron H, Caron M, Bojanowski P, Douze M, Joulin A, Laptev I, Neverova N, Synnaeve G, Verbeek J, Jégou H. XCiT: Cross-covariance image transformers. In Proc. the 35th Conference on Neural Information Processing Systems, Dec. 2021, pp.20014–20027.
[22]
Bhojanapalli S, Chakrabarti A, Glasner D, Li D, Unterthiner T, Veit A. Understanding robustness of transformers for image classification. In Proc. the 2021 IEEE/CVF International Conference on Computer Vision, Oct. 2021, pp.10211–10221. DOI: 10.1109/ICCV48922.2021.01007.
Crossref
[23]
Paul S, Chen P Y. Vision transformers are robust learners. In Proc. the 36th AAAI Conference on Artificial Intelligence, Jun. 2022, pp.2071–2081. DOI: 10.1609/aaai.v36i2.20103.
Crossref
[24]
Jin G, Shen S, Zhang D, Dai F, Zhang Y. APE-GAN: Adversarial perturbation elimination with GAN. In Proc. the 2019 IEEE International Conference on Acoustics, Speech and Signal Processing, May 2019, pp.3842–3846. DOI: 10.1109/ICASSP.2019.8683044.
Crossref
[25]

LeCun Y, Bottou L, Bengio Y, Haffner P. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 1998, 86(11): 2278–2324. DOI: 10.1109/5.726791.
Crossref Google Scholar
[26]
Krizhevsky A. Learning multiple layers of features from tiny images [M.S. Thesis]. University of Toronto, 2009. https://www.cs.toronto.edu/~kriz/learning-features-2009-TR.pdf, Sept. 2024.
[27]
Netzer Y, Wang T, Coates A, Bissacco A, Wu B, Ng A Y. Reading digits in natural images with unsupervised feature learning. In Proc. the NIPS Workshop on Deep Learning and Unsupervised Feature Learning, Dec. 2011.
[28]
Fei-Fei L, Fergus R, Perona P. Learning generative visual models from few training examples: An incremental Bayesian approach tested on 101 object categories. In Proc. the 2004 Conference on Computer Vision and Pattern Recognition Workshop, Jun. 27–Jul. 2, 2004, Article No.178. DOI: 10.1109/CVPR.2004.383.
Crossref
[29]
Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In Proc. the 2017 IEEE Symposium on Security and Privacy, May 2017, pp.39–57. DOI: 10.1109/SP.2017.49.
Crossref
[30]
Rony J, Hafemann L G, Oliveira L S, Ayed I B, Sabourin R, Granger E. Decoupling direction and norm for efficient gradient-based L2 adversarial attacks and defenses. In Proc. the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jun. 2019, pp.4317–4325. DOI: 10.1109/CVPR.2019.00445.
Crossref
[31]
Mosbach M, Andriushchenko M, Trost T, Hein M, Klakow D. Logit pairing methods can fool gradient-based attacks. In Proc. the 2018 NeurIPS Workshop on Security in Machine Learning, Dec. 2018.
[32]
Croce F, Hein M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Proc. the 37th International Conference on Machine Learning, Jul. 2020, Article No. 206.
[33]
Croce F, Hein M. Minimally distorted adversarial examples with a fast adaptive boundary attack. In Proc. the 37th International Conference on Machine Learning, Jul. 2020, Article No. 205.
[34]
Andriushchenko M, Croce F, Flammarion N, Hein M. Square attack: A query-efficient black-box adversarial attack via random search. In Proc. the 16th European Conference on Computer Vision, Aug. 2020, pp.484–501. DOI: 10.1007/978-3-030-58592-1_29.
Crossref
[35]
Wu K, Wang A H, Yu Y. Stronger and faster wasserstein adversarial attacks. In Proc. the 37th International Conference on Machine Learning, Jul. 2020, Article No. 961.
[36]
Xiao C, Zhu J Y, Li B, He W, Liu M, Song D. Spatially transformed adversarial examples. In Proc. the 6th International Conference on Learning Representations, Apr. 30–May 3, 2018.
[37]
Wu T, Tong L, Vorobeychik Y. Defending against physically realizable attacks on image classification. In Proc. the 8th International Conference on Learning Representations, Apr. 2020.
[38]
Guo C, Rana M, Cissé M, van der Maaten L. Countering Adversarial Images using Input Transformations. In Proc. the 6th International Conference on Learning Representations, Apr. 30–May 3, 2018.
[39]

Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y. Generative adversarial networks. Communications of the ACM, 2020, 63(11): 139–144. DOI: 10.1145/3422622.
Crossref Google Scholar
[40]
Jeeveswaran K, Kathiresan S, Varma A, Magdy O, Zonooz B, Arani E. A comprehensive study of vision transformers on dense prediction tasks. In Proc. the 17th International Joint Conference on Computer Vision, Feb. 2022, pp.213–223.
Crossref
[41]
Zhou D, Yu Z, Xie E, Xiao C, Anandkumar A, Feng J, lvarez J M. Understanding the robustness in vision transformers. In Proc. the 39th International Conference on Machine Learning, Jul. 2022, pp.27378–27394.
[42]
Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez A N, Kaiser Ł, Polosukhin I. Attention is all you need. In Proc. the 31st International Conference on Neural Information Processing Systems, Dec. 2017, pp.6000–6010.
[43]
Vincent P, Larochelle H, Bengio Y, Manzagol P A. Extracting and composing robust features with denoising autoencoders. In Proc. the 25th International Conference on Machine Learning, Jul. 2008, pp.1096–1103. DOI: 10.1145/1390156.1390294.
Crossref
[44]

Zhang K, Zuo W, Chen Y, Meng D, Zhang L. Beyond a Gaussian denoiser: Residual learning of deep CNN for image denoising. IEEE Trans. on Image Processing, 2017, 26(7): 3142–3155. DOI: 10.1109/TIP.2017.2662206.
Crossref Google Scholar
[45]
Zagoruyko S, Komodakis N. Wide residual networks. In Proc. the 2016 British Machine Vision Conference, Sept. 2016.
Crossref
[46]
Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition. In Proc. the 3rd International Conference on Learning Representations, May 2015.
[47]

Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks. Communications of the ACM, 2017, 60(6): 84–90. DOI: 10.1145/3065386.
Crossref Google Scholar
[48]
Xie C, Wu Y, Van Der Maaten L, Yuille A L, He K. Feature denoising for improving adversarial robustness. In Proc. the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jun. 2019, pp.501–509. DOI: 10.1109/CVPR.2019.00059.
Crossref
[49]

Shao R, Perera P, Yuen P C, Patel V M. Open-set adversarial defense with clean-adversarial mutual learning. International Journal of Computer Vision, 2022, 130(4): 1070–1087. DOI: 10.1007/s11263-022-01581-0.
Crossref Google Scholar
[50]
Prakash A, Moran N, Garber S, DiLillo A, Storer J. Deflecting adversarial attacks with pixel deflection. In Proc. the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jun. 2018, pp.8571–8580. DOI: 10.1109/CVPR.2018.00894.
Crossref
[51]
Sun B, Tsai N H, Liu F, Yu R, Su H. Adversarial defense by stratified convolutional sparse coding. In Proc. the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Jan. 2019, pp.11439–11448. DOI: 10.1109/CVPR.2019.01171.
Crossref
[52]

Yang J, Li Z, Liu S, Hong B, Wang W. Joint contrastive learning and frequency domain defense against adversarial examples. Neural Computing and Applications, 2023, 35(25): 18623–18639. DOI: 10.1007/s00521-023-08688-6.
Crossref Google Scholar
Journal of Computer Science and Technology
Volume 39 Issue 5,
September 2024
Pages 1078-1093
DOI: 10.1007/s11390-024-3515-8

{{item.num}}

Comments on this article

Go to comment

< Back to all reports

Review Status: {{reviewData.commendedNum}} Commended , {{reviewData.revisionRequiredNum}} Revision Required , {{reviewData.notCommendedNum}} Not Commended Under Peer Review

Review Comment

Cite this Report
Close
Close
Cite this article:
Wang W-D, Li Z, Zhang L. Combining Innovative CVTNet and Regularization Loss for Robust Adversarial Defense. Journal of Computer Science and Technology, 2024, 39(5): 1078-1093. https://doi.org/10.1007/s11390-024-3515-8

140

Views

0

Crossref

0

Web of Science

0

Scopus

0

CSCD

Altmetrics
Received: 16 June 2023
Accepted: 10 April 2024
Published: 05 December 2024
© Institute of Computing Technology, Chinese Academy of Sciences 2024