An end-to-end convolutional network for joint detecting and denoising adversarial perturbations in vehicle classification

Peng Liu; Huiyuan Fu; Huadong Ma

doi:10.1007/s41095-021-0202-3

Computational Visual Media 2021, 7(2): 217-227 https://doi.org/10.1007/s41095-021-0202-3

Research Article |

Open Access | Issue | Published: 25 January 2021

An end-to-end convolutional network for joint detecting and denoising adversarial perturbations in vehicle classification

Show Author's Information Hide Author's Information Peng Liu^¹, Huiyuan Fu^¹(

), Huadong Ma^¹

1Beijing Key Laboratory of Intelligent Telecommunications Software and Multimedia, Beijing University of Posts and Telecommunications, Beijing 100876, China

Keywords:

deep learning, adversarial defense, adversarial detection, vehicle classification

Cite this article:

Liu P, Fu H, Ma H. An end-to-end convolutional network for joint detecting and denoising adversarial perturbations in vehicle classification. Computational Visual Media, 2021, 7(2): 217-227. https://doi.org/10.1007/s41095-021-0202-3

Download citation

EndNote(RIS)

BibTeX

769

Views

Downloads

Citations

Crossref

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

Deep convolutional neural networks (DCNNs)have been widely deployed in real-world scenarios. However, DCNNs are easily tricked by adversarial examples, which present challenges for critical app-lications, such as vehicle classification. To address this problem, we propose a novel end-to-end convolutional network for joint detection and removal of adversarial perturbations by denoising (DDAP). It gets rid of adversarial perturbations using the DDAP denoiser based on adversarial examples discovered by the DDAP detector. The proposed method can be regarded as a pre-processing step—it does not require modifying the structure of the vehicle classification model and hardly affects the classification results on clean images. We consider four kinds of adversarial attack (FGSM, BIM, DeepFool, PGD) to verify DDAP’s capabilities when trained on BIT-Vehicle and other public datasets. It provides better defense than other state-of-the-art defensive methods.

Full text

Abstract

Full text

Outline

About this article

An end-to-end convolutional network for joint detecting and denoising adversarial perturbations in vehicle classification

Show Author's information Hide Author's Information Peng Liu^¹, Huiyuan Fu^¹(

), Huadong Ma^¹

1Beijing Key Laboratory of Intelligent Telecommunications Software and Multimedia, Beijing University of Posts and Telecommunications, Beijing 100876, China

Abstract

Keywords: deep learning, adversarial defense, adversarial detection, vehicle classification

References(36)

[1]

Fu, H. Y.; Ma, H. D.; Wang, G. Y.; Zhang, X. M.; Zhang, Y. F. MCFF-CNN: Multiscale comprehensive feature fusion convolutional neural network for vehicle color recognition based on residual learning. Neurocomputing Vol. 395, 178-187, 2020.

DOI Google Scholar

[2]

He, K. M.; Zhang, X. Y.; Ren, S. Q.; Sun, J. Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 770-778, 2016.

[3]

Szegedy, C.; Vanhoucke, V.; Ioffe, S.; Shlens, J.; Wojna, Z. Rethinking the inception architecture for computer vision. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2818-2826, 2016.

DOI

[4]

Oh, M.; Cha, B.; Bae, I.; Choi, G.; Lim, Y. An urban autodriving algorithm based on a sensor-weighted integration field with deep learning. Electronics Vol. 9, No. 1, 158, 2020.

DOI Google Scholar

[5]

Ronneberger, O.; Fischer, P.; Brox, T. U-Net: Con-volutional networks for biomedical image segmentation. In: Medical Image Computing and Computer-Assisted Intervention - MICCAI 2015. Lecture Notes in Computer Science, Vol. 9351. Navab, N.; Hornegger, J.; Wells, W.; Frangi, A. Eds. Springer Cham, 234-241, 2015.

DOI

[6]

Liu, X. C.; Liu, W.; Ma, H. D.; Fu, H. Y. Large-scale vehicle re-identification in urban surveillance videos. In: Proceedings of the IEEE International Conference on Multimedia and Expo, 1-6, 2016.

DOI

[7]

Zhuo, L.; Jiang, L. Y.; Zhu, Z. Q.; Li, J. F.; Zhang, J.; Long, H. X. Vehicle classification for large-scale traffic surveillance videos using Convolutional Neural Networks. Machine Vision and Applications Vol. 28, No. 7, 793-802, 2017.

DOI Google Scholar

[8]

Won, M. Intelligent traffic monitoring systems for vehicle classification: A survey. IEEE Access Vol. 8, 73340-73358, 2020.

DOI Google Scholar

[9]

Kurakin, A.; Goodfellow, I.; Bengio, S. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.

Google Scholar

[10]

Liu, Y.; Chen, X.; Liu, C.; Song, D. Delving intotransferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770, 2016.

Google Scholar

[11]

Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z. B.; Swami, A. The limitations of deep learning in adversarial settings. In: Proceedings of the IEEE European Symposiumon Security and Privacy, 372-387, 2016.

DOI

[12]

Carrara, F.; Falchi, F.; Caldelli, R.; Amato, G.; Fumarola, R.; Becarelli, R. Detecting adversarial example attacks to deep neural networks. In: Proceedings of the 15th International Workshop on Content-based Multimedia Indexing, Article No. 38, 2017.

DOI

[13]

Guo, F.; Zhao, Q. J.; Li, X.; Kuang, X. H.; Zhang, J. W.; Han, Y. H.; Tan, Y.-a. Detecting adversarial examples via prediction difference for deep neural networks. Information Sciences Vol. 501, 182-192, 2019.

DOI Google Scholar

[14]

Rakin, A. S.; Fan, D. L. Defense-net: Defend against a wide range of adversarial attacks through adversarial detector. In: Proceedings of the IEEE Computer Society Annual Symposium on VLSI, 332-337, 2019.

DOI

[15]

Liao, F. Z.; Liang, M.; Dong, Y. P.; Pang, T.; Hu, X. L.; Zhu, J. Defense against adversarial attacks using high-level representation guided denoiser. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 1778-1787, 2018.

DOI

[16]

Mustafa, A.; Khan, S. H.; Hayat, M.; Shen, J. B.; Shao, L. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing Vol. 29, 1711-1724, 2020.

DOI Google Scholar

[17]

Prakash, A.; Moran, N.; Garber, S.; DiLillo, A.; Storer, J. Detecting adversarial attacks with pixel detection. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 8571-8580, 2018.

DOI

[18]

Xie, C. H.; Wu, Y. X.; van der Maaten, L.; Yuille, A. L.; He, K. M. Feature denoising for improving adversarial robustness. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 501-509, 2019.

DOI

[19]

Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguing pro-perties of neural networks. arXiv preprint arXiv:1312.6199, 2013.

Google Scholar

[20]

Goodfellow, I. J.; Shlens, J.; Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.

Google Scholar

[21]

Moosavi-Dezfooli, S. M.; Fawzi, A.; Frossard, P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2574-2582, 2016.

DOI

[22]

Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.

Google Scholar

[23]

Metzen, J. H.; Genewein, T.; Fischer, V.; Bischofi, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.

Google Scholar

[24]

Feinman, R.; Curtin, R. R.; Shintre, S.; Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.

Google Scholar

[25]

Liang, B.; Li, H. C.; Su, M. Q.; Li, X. R.; Shi, W. C.; Wang, X. F. Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Transactions on Dependable and Secure Computing Vol. 18, No. 1, 72-85, 2019.

DOI Google Scholar

[26]

Papernot, N.; McDaniel, P.; Wu, X.; Jha, S.; Swami, A. Distillation as a defense to adversarial perturbations against deep neural networks. In: Proceedings of the IEEE Symposium on Security and Privacy, 582-597, 2016.

DOI

[27]

Carlini, N.; Wagner, D. Towards evaluating the robustness of neural networks. In: Proceedings of the IEEE Symposium on Security and Privacy, 39-57, 2017.

DOI

[28]

Samangouei, P.; Kabkab, M.; Chellappa, R. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605, 2018.

Google Scholar

[29]

LeCun, Y.; Bottou, L.; Bengio, Y.; Haffner, P. Gradient-based learning applied to document recognition. Proceedings of the IEEE Vol. 86, No. 11, 2278-2324, 1998.

DOI Google Scholar

[30]

Santhanam G. K.; Grnarova, P. Defending against adversarial attacks by leveraging an entire GAN. arXiv preprint arXiv:1805.10652, 2018.

Google Scholar

[31]

Howard, A. G.; Zhu, M.; Chen, B.; Kalenichenko, D.; Wang, W.; Weyand, T.; Andreetto, M.; Adam, H. MobileNets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861, 2017.

Google Scholar

[32]

Vincent, P.; Larochelle, H.; Bengio, Y.; Manzagol, P. A. Extracting and composing robust features with denoising auto encoders. In: Proceedings of the 25th International Conference on Machine Learning, 1096-1103, 2008.

DOI

[33]

Zhang, K.; Zuo, W. M.; Chen, Y. J.; Meng, D. Y.; Zhang, L. Beyond a Gaussian denoiser: Residual learning of deep CNN for image denoising. IEEE Transactions on Image Processing Vol. 26, No. 7, 3142-3155, 2017.

DOI Google Scholar

[34]

Dong, Z.; Pei, M. T.; He, Y.; Liu, T.; Dong, Y. M.; Jia, Y. D. Vehicle type classification using unsupervised convolutional neural network. In: Proceedings of the 22nd International Conference on Pattern Recognition, 172-177, 2014.

DOI

[35]

Yang, L. J.; Luo, P.; Loy, C. C.; Tang, X. O. A large-scale car dataset for fine-grained categorization and verification. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 3973-3981, 2015.

DOI

[36]

Zhou, B. L.; Khosla, A.; Lapedriza, A.; Oliva, A.; Torralba, A. Learning deep features for discriminative localization. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2921-2929, 2016.

DOI

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 03 November 2020

Accepted: 02 January 2021

Published: 25 January 2021

Issue date: June 2021

Copyright

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China (61872047, 61720106007), the National Key R&D Program of China (2017YFB1003000), the Beijing Nova Program (Z201100006820124), the Beijing Natural Science Foundation (L191004), and the 111 Project (B18008).

Rights and permissions

This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduc-tion in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.

The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Other papers from this open access journal are available free of charge from http://www.springer.com/journal/41095. To submit a manuscript, please go to https://www. editorialmanager.com/cvmj.