skip to main content
research-article

Attention, Please! Adversarial Defense via Activation Rectification and Preservation

Published:27 February 2023Publication History
Skip Abstract Section

Abstract

This study provides a new understanding of the adversarial attack problem by examining the correlation between adversarial attack and visual attention change. In particular, we observed that: (1) images with incomplete attention regions are more vulnerable to adversarial attacks; and (2) successful adversarial attacks lead to deviated and scattered activation map. Therefore, we use the mask method to design an attention-preserving loss and a contrast method to design a loss that makes the model’s attention rectification. Accordingly, an attention-based adversarial defense framework is designed, under which better adversarial training or stronger adversarial attacks can be performed through the above constraints. We hope the attention-related data analysis and defense solution in this study will shed some light on the mechanism behind the adversarial attack and also facilitate future adversarial defense/attack model design.

REFERENCES

  1. [1] Sajjad Amini and Shahrokh Ghaemmaghami. 2020. Towards improving robustness of deep neural networks to adversarial perturbations. IEEE Trans. Multim. 22, 7 (2020), 1889–1903.Google ScholarGoogle Scholar
  2. [2] Andriushchenko Maksym, Croce Francesco, Flammarion Nicolas, and Hein Matthias. 2020. Square attack: A query-efficient black-box adversarial attack via random search. In European Conference Computer Vision.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] Athalye Anish, Carlini Nicholas, and Wagner David A.. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning.Google ScholarGoogle Scholar
  4. [4] Carlini Nicholas and Wagner David A.. 2017. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  5. [5] Croce Francesco and Hein Matthias. 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International Conference on Machine Learning.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. [6] Deng Jia, Dong Wei, Socher Richard, Li Li-Jia, Li Kai, and Li Fei-Fei. 2009. ImageNet: A large-scale hierarchical image database. In IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  7. [7] Dhillon Guneet S., Azizzadenesheli Kamyar, Lipton Zachary C., Bernstein Jeremy D., Kossaifi Jean, Khanna Aran, and Anandkumar Anima. 2018. Stochastic activation pruning for robust adversarial defense. In Proceeding of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  8. [8] Dong Yinpeng, Fu Qi-An, Yang Xiao, Pang Tianyu, Su Hang, Xiao Zihao, and Zhu Jun. 2020. Benchmarking adversarial robustness on image classification. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Yali Du, Meng Fang, Jinfeng Yi, Chang Xu, Jun Cheng, and Dacheng Tao. 2018. Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multim. 21, 3 (2018), 555–565.Google ScholarGoogle Scholar
  10. [10] Duan Mingxing, Li Kenli, Deng Jiayan, Xiao Bin, and Tian Qi. 2022. A novel multi-sample generation method for adversarial attacks. ACM Trans. Multim. Comput. Commun. Appl. 18, 4 (2022), 1–21.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] Duan Mingxing, Li Kenli, Ouyang Aijia, Win Khin Nandar, Li Keqin, and Tian Qi. 2020. EGroupNet: A feature-enhanced network for age estimation with novel age group schemes. ACM Trans. Multim. Comput. Commun. Appl. 16, 2 (2020), 1–23.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. [12] Duan Mingxing, Li Kenli, Xie Lingxi, Tian Qi, and Xiao Bin. 2021. Towards multiple black-boxes attack via adversarial example generation network. In ACM Multimedia Conference.Google ScholarGoogle Scholar
  13. [13] Ferrari Claudio, Becattini Federico, Galteri Leonardo, and Bimbo Alberto Del. 2022. (Compress and restore)N: A robust defense against adversarial attacks on image classification. ACM Trans. Multim. Comput. Commun. Appl. (2022).Google ScholarGoogle Scholar
  14. [14] Goodfellow Ian, Shlens Jonathon, and Szegedy Christian. 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  15. [15] Guo Chuan, Rana Mayank, Cissé Moustapha, and Maaten Laurens van der. 2018. Countering adversarial images using input transformations. In Proceeding of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  16. [16] He Kaiming, Zhang Xiangyu, Ren Shaoqing, and Sun Jian. 2016. Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle Scholar
  17. [17] Hinton Geoffrey E., Vinyals Oriol, and Dean Jeffrey. 2015. Distilling the knowledge in a neural network. CoRR.Google ScholarGoogle Scholar
  18. [18] Kannan Harini, Kurakin Alexey, and Goodfellow Ian J.. 2018. Adversarial logit pairing. CoRR.Google ScholarGoogle Scholar
  19. [19] Krizhevsky Alex and Hinton Geoffrey. 2009. Learning multiple layers of features from tiny images. In Citeseer.Google ScholarGoogle Scholar
  20. [20] Kurakin Alexey, Goodfellow Ian J., and Bengio Samy. 2016. Adversarial examples in the physical world. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  21. [21] Kurakin Alexey, Goodfellow Ian J., and Bengio Samy. 2017. Adversarial machine learning at scale. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  22. [22] Haofeng Li, Yirui Zeng, Guanbin Li, Liang Lin, and Yizhou Yu. 2020. Online alternate generator against adversarial attacks. IEEE Trans. Image Process. 29 (2020), 9305–9315.Google ScholarGoogle Scholar
  23. [23] Liao Fangzhou, Liang Ming, Dong Yinpeng, Pang Tianyu, Hu Xiaolin, and Zhu Jun. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  24. [24] Ximeng Liu, Lehui Xie, Yaopeng Wang, Jian Zou, Jinbo Xiong, Zuobin Ying, and Athanasios V. Vasilakos. 2020. Privacy and security issues in deep learning: A survey. IEEE Access 9 (2020), 4566–4593.Google ScholarGoogle Scholar
  25. [25] Feng Liu, Haozhe Liu, Wentian Zhang, Guojie Liu, and Linlin Shen. 2021. One-class fingerprint presentation attack detection using auto-encoder network. IEEE Trans. Image Process. 30 (2021), 2394–2407.Google ScholarGoogle Scholar
  26. [26] Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, and Vladu Adrian. 2017. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  27. [27] Mohajerani Sorour and Saeedi Parvaneh. 2019. Shadow detection in single RGB images using a context preserver convolutional neural network trained by multiple adversarial examples. IEEE Trans. Image Process. 28, 8 (2019), 4117–4129.Google ScholarGoogle ScholarCross RefCross Ref
  28. [28] Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, and Frossard Pascal. 2016. DeepFool: A simple and accurate method to fool deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Mustafa Aamir, Khan Salman H., Hayat Munawar, Shen Jianbing, and Shao Ling. 2019. Image super-resolution as a defense against adversarial attacks. IEEE Trans. Image Process. 29 (2019), 1711–1724.Google ScholarGoogle Scholar
  30. [30] Noack A., Ahern Isaac, Dou D., and Li Boyang. 2019. Does interpretability of neural networks imply adversarial robustness? CoRR.Google ScholarGoogle Scholar
  31. [31] Papernot Nicolas, McDaniel Patrick D., Wu Xi, Jha Somesh, and Swami Ananthram. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  32. [32] Raghavendra Ramachandra, Kiran B. Raja, and Christoph Busch. 2015. Presentation attack detection for face recognition using light field camera. IEEE Trans. Image Process. 24, 3 (2015), 1060–1075.Google ScholarGoogle Scholar
  33. [33] Ribeiro Marco Túlio, Singh Sameer, and Guestrin Carlos. 2016. “Why should I trust you?”: Explaining the predictions of any classifier. In ACM International Conference on Knowledge Discovery and Data Mining.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. [34] Selvaraju Ramprasaath R., Cogswell Michael, Das Abhishek, Vedantam Ramakrishna, Parikh Devi, and Batra Dhruv. 2017. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In IEEE International Conference on Computer Vision.Google ScholarGoogle ScholarCross RefCross Ref
  35. [35] Shen Shiwei, Jin Guoqing, Gao Ke, and Zhang Yongdong. 2017. APE-GAN: Adversarial perturbation elimination with GAN. CoRR.Google ScholarGoogle Scholar
  36. [36] Song Yang, Kim Taesup, Nowozin Sebastian, Ermon Stefano, and Kushman Nate. 2018. PixelDefend: Leveraging generative models to understand and defend against adversarial examples. In Proceeding of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  37. [37] Zhou Su, Qing Fang, Honggang Wang, Sanjeev Mehrotra, Ali C. Begen, Qiang Ye, and Andrea Cavallaro. 2019. Guest editorial trustworthiness in social multimedia analytics and delivery. IEEE Trans. Multim. 21, 3 (2019), 537–538.Google ScholarGoogle Scholar
  38. [38] Szegedy Christian, Vanhoucke Vincent, Ioffe Sergey, Shlens Jonathon, and Wojna Zbigniew. 2016. Rethinking the inception architecture for computer vision. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  39. [39] Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian, and Fergus Rob. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  40. [40] Tramèr Florian, Kurakin Alexey, Papernot Nicolas, Boneh Dan, and McDaniel Patrick D.. 2017. Ensemble adversarial training: Attacks and defenses. In International Conference on Learning Representations.Google ScholarGoogle Scholar
  41. [41] Tsipras Dimitris, Santurkar Shibani, Engstrom Logan, Turner Alexander, and Madry Aleksander. 2018. There is no free lunch in adversarial robustness (but there are unexpected benefits). CoRR.Google ScholarGoogle Scholar
  42. [42] Yulong Wang, Hang Su, Bo Zhang, and Xiaolin Hu. 2019. Learning reliable visual saliency for model explanations. IEEE Trans. Multim. 22, 7 (2019), 1796–1807.Google ScholarGoogle Scholar
  43. [43] Xiao Chang and Zheng Changxi. 2020. One man’s trash is another man’s treasure: Resisting adversarial examples by adversarial examples. In IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  44. [44] Zeiler Matthew D. and Fergus Rob. 2014. Visualizing and understanding convolutional networks. In European Conference Computer Vision.Google ScholarGoogle ScholarCross RefCross Ref
  45. [45] Chongzhi Zhang, Aishan Liu, Xianglong Liu, Yitao Xu, Hang Yu, Yuqing Ma, and Tianlin Li. 2020. Interpreting and improving adversarial robustness of deep neural networks with neuron sensitivity. IEEE Trans. Image Process. 30 (2020), 1291–1304.Google ScholarGoogle Scholar
  46. [46] Zhang Hongyang, Yu Yaodong, Jiao Jiantao, Xing Eric, Ghaoui Laurent El, and Jordan Michael. 2019. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning.Google ScholarGoogle Scholar
  47. [47] Zhang Tianyuan and Zhu Zhanxing. 2019. Interpreting adversarially trained convolutional neural networks. In Proceeding of the International Conference on Machine Learning (PMLR’19), 7502–7511.Google ScholarGoogle Scholar

Index Terms

  1. Attention, Please! Adversarial Defense via Activation Rectification and Preservation

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Multimedia Computing, Communications, and Applications
          ACM Transactions on Multimedia Computing, Communications, and Applications  Volume 19, Issue 4
          July 2023
          263 pages
          ISSN:1551-6857
          EISSN:1551-6865
          DOI:10.1145/3582888
          • Editor:
          • Abdulmotaleb El Saddik
          Issue’s Table of Contents

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 27 February 2023
          • Online AM: 29 November 2022
          • Accepted: 21 November 2022
          • Revised: 19 November 2022
          • Received: 18 April 2022
          Published in tomm Volume 19, Issue 4

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
        • Article Metrics

          • Downloads (Last 12 months)159
          • Downloads (Last 6 weeks)28

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Full Text

        View this article in Full Text.

        View Full Text

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!