Abstract
This study provides a new understanding of the adversarial attack problem by examining the correlation between adversarial attack and visual attention change. In particular, we observed that: (1) images with incomplete attention regions are more vulnerable to adversarial attacks; and (2) successful adversarial attacks lead to deviated and scattered activation map. Therefore, we use the mask method to design an attention-preserving loss and a contrast method to design a loss that makes the model’s attention rectification. Accordingly, an attention-based adversarial defense framework is designed, under which better adversarial training or stronger adversarial attacks can be performed through the above constraints. We hope the attention-related data analysis and defense solution in this study will shed some light on the mechanism behind the adversarial attack and also facilitate future adversarial defense/attack model design.
- [1] Sajjad Amini and Shahrokh Ghaemmaghami. 2020. Towards improving robustness of deep neural networks to adversarial perturbations. IEEE Trans. Multim. 22, 7 (2020), 1889–1903.Google Scholar
- [2] . 2020. Square attack: A query-efficient black-box adversarial attack via random search. In European Conference Computer Vision.Google Scholar
Digital Library
- [3] . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning.Google Scholar
- [4] . 2017. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy.Google Scholar
- [5] . 2020. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International Conference on Machine Learning.Google Scholar
Digital Library
- [6] . 2009. ImageNet: A large-scale hierarchical image database. In IEEE Computer Society Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [7] . 2018. Stochastic activation pruning for robust adversarial defense. In Proceeding of the International Conference on Learning Representations.Google Scholar
- [8] . 2020. Benchmarking adversarial robustness on image classification. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [9] Yali Du, Meng Fang, Jinfeng Yi, Chang Xu, Jun Cheng, and Dacheng Tao. 2018. Enhancing the robustness of neural collaborative filtering systems under malicious attacks. IEEE Trans. Multim. 21, 3 (2018), 555–565.Google Scholar
- [10] . 2022. A novel multi-sample generation method for adversarial attacks. ACM Trans. Multim. Comput. Commun. Appl. 18, 4 (2022), 1–21.Google Scholar
Digital Library
- [11] . 2020. EGroupNet: A feature-enhanced network for age estimation with novel age group schemes. ACM Trans. Multim. Comput. Commun. Appl. 16, 2 (2020), 1–23.Google Scholar
Digital Library
- [12] . 2021. Towards multiple black-boxes attack via adversarial example generation network. In ACM Multimedia Conference.Google Scholar
- [13] . 2022. (Compress and restore)N: A robust defense against adversarial attacks on image classification. ACM Trans. Multim. Comput. Commun. Appl. (2022).Google Scholar
- [14] . 2015. Explaining and harnessing adversarial examples. In International Conference on Learning Representations.Google Scholar
- [15] . 2018. Countering adversarial images using input transformations. In Proceeding of the International Conference on Learning Representations.Google Scholar
- [16] . 2016. Deep residual learning for image recognition. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
- [17] . 2015. Distilling the knowledge in a neural network. CoRR.Google Scholar
- [18] . 2018. Adversarial logit pairing. CoRR.Google Scholar
- [19] . 2009. Learning multiple layers of features from tiny images. In Citeseer.Google Scholar
- [20] . 2016. Adversarial examples in the physical world. In International Conference on Learning Representations.Google Scholar
- [21] . 2017. Adversarial machine learning at scale. In International Conference on Learning Representations.Google Scholar
- [22] Haofeng Li, Yirui Zeng, Guanbin Li, Liang Lin, and Yizhou Yu. 2020. Online alternate generator against adversarial attacks. IEEE Trans. Image Process. 29 (2020), 9305–9315.Google Scholar
- [23] . 2018. Defense against adversarial attacks using high-level representation guided denoiser. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [24] Ximeng Liu, Lehui Xie, Yaopeng Wang, Jian Zou, Jinbo Xiong, Zuobin Ying, and Athanasios V. Vasilakos. 2020. Privacy and security issues in deep learning: A survey. IEEE Access 9 (2020), 4566–4593.Google Scholar
- [25] Feng Liu, Haozhe Liu, Wentian Zhang, Guojie Liu, and Linlin Shen. 2021. One-class fingerprint presentation attack detection using auto-encoder network. IEEE Trans. Image Process. 30 (2021), 2394–2407.Google Scholar
- [26] . 2017. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations.Google Scholar
- [27] . 2019. Shadow detection in single RGB images using a context preserver convolutional neural network trained by multiple adversarial examples. IEEE Trans. Image Process. 28, 8 (2019), 4117–4129.Google Scholar
Cross Ref
- [28] . 2016. DeepFool: A simple and accurate method to fool deep neural networks. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [29] . 2019. Image super-resolution as a defense against adversarial attacks. IEEE Trans. Image Process. 29 (2019), 1711–1724.Google Scholar
- [30] . 2019. Does interpretability of neural networks imply adversarial robustness? CoRR.Google Scholar
- [31] . 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE Symposium on Security and Privacy.Google Scholar
- [32] Raghavendra Ramachandra, Kiran B. Raja, and Christoph Busch. 2015. Presentation attack detection for face recognition using light field camera. IEEE Trans. Image Process. 24, 3 (2015), 1060–1075.Google Scholar
- [33] . 2016. “Why should I trust you?”: Explaining the predictions of any classifier. In ACM International Conference on Knowledge Discovery and Data Mining.Google Scholar
Digital Library
- [34] . 2017. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In IEEE International Conference on Computer Vision.Google Scholar
Cross Ref
- [35] . 2017. APE-GAN: Adversarial perturbation elimination with GAN. CoRR.Google Scholar
- [36] . 2018. PixelDefend: Leveraging generative models to understand and defend against adversarial examples. In Proceeding of the International Conference on Learning Representations.Google Scholar
- [37] Zhou Su, Qing Fang, Honggang Wang, Sanjeev Mehrotra, Ali C. Begen, Qiang Ye, and Andrea Cavallaro. 2019. Guest editorial trustworthiness in social multimedia analytics and delivery. IEEE Trans. Multim. 21, 3 (2019), 537–538.Google Scholar
- [38] . 2016. Rethinking the inception architecture for computer vision. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [39] . 2014. Intriguing properties of neural networks. In International Conference on Learning Representations.Google Scholar
- [40] . 2017. Ensemble adversarial training: Attacks and defenses. In International Conference on Learning Representations.Google Scholar
- [41] . 2018. There is no free lunch in adversarial robustness (but there are unexpected benefits). CoRR.Google Scholar
- [42] Yulong Wang, Hang Su, Bo Zhang, and Xiaolin Hu. 2019. Learning reliable visual saliency for model explanations. IEEE Trans. Multim. 22, 7 (2019), 1796–1807.Google Scholar
- [43] . 2020. One man’s trash is another man’s treasure: Resisting adversarial examples by adversarial examples. In IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [44] . 2014. Visualizing and understanding convolutional networks. In European Conference Computer Vision.Google Scholar
Cross Ref
- [45] Chongzhi Zhang, Aishan Liu, Xianglong Liu, Yitao Xu, Hang Yu, Yuqing Ma, and Tianlin Li. 2020. Interpreting and improving adversarial robustness of deep neural networks with neuron sensitivity. IEEE Trans. Image Process. 30 (2020), 1291–1304.Google Scholar
- [46] . 2019. Theoretically principled trade-off between robustness and accuracy. In International Conference on Machine Learning.Google Scholar
- [47] . 2019. Interpreting adversarially trained convolutional neural networks. In Proceeding of the International Conference on Machine Learning (PMLR’19), 7502–7511.Google Scholar
Index Terms
Attention, Please! Adversarial Defense via Activation Rectification and Preservation
Recommendations
Adversarial attack and defense technologies in natural language processing: A survey
Highlights- The current progress of adversarial attack and defense technologies in the NLP field is systematically summarized.
AbstractRecently, the adversarial attack and defense technology has made remarkable achievements and has been widely applied in the computer vision field, promoting its rapid development in other fields, primarily the natural language ...
Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework
MM '21: Proceedings of the 29th ACM International Conference on MultimediaDeep learning based image classification models are shown vulnerable to adversarial attacks by injecting deliberately crafted noises to clean images. To defend against adversarial attacks in a training-free and attack-agnostic manner, this work proposes ...
DG-Based Active Defense Strategy to Defend against DDoS
MUE '08: Proceedings of the 2008 International Conference on Multimedia and Ubiquitous EngineeringIn this paper, it is advocated that defenders should take active action to stop DDoS attacks. We propose a new model based on Differential Games theory. Four main actors are included, Attacker, Defender, Victim, and Botnet. It is our belief that Victims ...






Comments