Protecting JPEG Images Against Adversarial Attacks

Prakash, Aaditya; Moran, Nick; Garber, Solomon; DiLillo, Antonella; Storer, James A.

doi:10.1109/dcc.2018.00022

Cited by 24 publications

(23 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Defenses: Proposed defenses include detection and rejection methods [32,26,55,61,3,63], pre-processing, quantization and dimensionality reduction methods [12,73,7], manifold-projection methods [40,72,82,86], methods based on stochasticity/regularization or adapted architectures [109,7,68,88,35,43,76,45,51,107], ensemble methods [57,94,34,100], as well as adversarial training [109,65,36,83,90,54,62]; however, many defenses have been broken, often by considering "specialized" or novel attacks [13,15,5,6]. In [6], only adversarial training, e.g., the work by Madry et al [62], has been shown to be effective -although many recent defenses have not been studied extensively.…”

Section: Related Workmentioning

confidence: 99%

Disentangling Adversarial Robustness and Generalization

Stutz

Hein

Schiele

2019

2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

196

153

View full text Add to dashboard Cite

Obtaining deep networks that are robust against adversarial examples and generalize well is an open problem. A recent hypothesis [102,95] even states that both robust and accurate models are impossible, i.e., adversarial robustness and generalization are conflicting goals. In an effort to clarify the relationship between robustness and generalization, we assume an underlying, low-dimensional data manifold and show that: 1. regular adversarial examples leave the manifold; 2. adversarial examples constrained to the manifold, i.e., on-manifold adversarial examples, exist; 3. onmanifold adversarial examples are generalization errors, and on-manifold adversarial training boosts generalization; 4. regular robustness and generalization are not necessarily contradicting goals. These assumptions imply that both robust and accurate models are possible. However, different models (architectures, training strategies etc.) can exhibit different robustness and generalization characteristics. To confirm our claims, we present extensive experiments on synthetic data (with known manifold) as well as on EMNIST [19], Fashion-MNIST [106] and CelebA [59].

show abstract

Section: Related Workmentioning

confidence: 99%

Disentangling Adversarial Robustness and Generalization

Stutz

Hein

Schiele

2019

2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)

196

153

View full text Add to dashboard Cite

show abstract

“…Existing defenses are either reactive [8,16,17,24,36], i.e. adding an extra element to detect or remove adversarial perturbation, or proactive [3,6,11,18,19,22,25,32], i.e.…”

Section: Related Workmentioning

confidence: 99%

“…Transformation-based defenses [8,24,29,34] are reactive defenses that attempt to reform adversarial examples while not changing their semantics. Basic transformations, such as cropping, rescaling, bit-depth reduction, jpeg compression, total variance minimization, and image quilting, succeed in removing adversarial eects to some extent [8].…”

Section: Related Workmentioning

confidence: 99%

“…Considering adversarial perturbations as a special kind of noise is a simple and practical perspective. Motivated by this, a number of defenses detect the adversarial image and/or pre-process input images to remove the eect of the adversarial perturbation [8,16,17,24,36]. For instance, MagNet [20] uses auto-encoders to project the input image to the manifold of natural images.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Patch Replacement

Zhang

Avrithis

Furon

et al. 2021

Proceedings of the 1st International Workshop on Trustworthy AI for Multimedia Computing

View full text Add to dashboard Cite

Deep Neural Networks (DNNs) are robust against intra-class variability of images, pose variations and random noise, but vulnerable to imperceptible adversarial perturbations that are well-crafted precisely to mislead. While random noise even of relatively large magnitude can hardly aect predictions, adversarial perturbations of very small magnitude can make a classier fail completely.To enhance robustness, we introduce a new adversarial defense called patch replacement, which transforms both the input images and their intermediate features at early layers to make adversarial perturbations behave similarly to random noise. We decompose images/features into small patches and quantize them according to a codebook learned from legitimate training images. This maintains the semantic information of legitimate images, while removing as much as possible the eect of adversarial perturbations.Experiments show that patch replacement improves robustness against both white-box and gray-box attacks, compared with other transformation-based defenses. It has a low computational cost since it does not need training or ne-tuning the network. Importantly, in the white-box scenario, it increases the robustness, while other transformation-based defenses do not.

show abstract

“…nevertheless, a new sample can always be found to deceive the network however we repeat the first idea [24]. Even though we use other methods such as data compression [25] and data randomization [26], The new adversarial samples that keep appearing make these defense methods ridiculous.…”

Section: B Defense Patterns For Adversarial Samplementioning

confidence: 99%

Robust Pervasive Detection for Adversarial Samples of Artificial Intelligence in IoT Environments

Wang

Qiao

2019

IEEE Access

View full text Add to dashboard Cite

Nowadays, artificial intelligence technologies (e.g., deep neural networks) have been used widely in the Internet of Things (IoT) to provide smart services and sensing data processing. The evolving neural network even exceeds the human cognitive level. However, the accuracy of these structures depends to some extent on the accuracy of the training data. Some well-designed generated antagonistic disturbances are sufficient to deceive model when added to images. Such attacks cause the classifiers trained by the neural network to misidentify the object and thus completely fail. On the other hand, the various existing defensive methods that have been proposed suffer from two criticisms. The first thing that bears the brunt is unsatisfactory detection rate due to low robustness toward the adversarial sample. Second, the excessive dependence on the output of specific network structure layers hinders the emergence of universal schemes. In this paper, we propose the large margin cosine estimation (LMCE) detection scheme to overcome the above shortcomings, making the detection independent and universal. We illustrate the principle of our approach and demonstrate the significance and analysis of some important parameters. Moreover, we model various types of adversarial attacks and establish proposed defense mechanisms against them and evaluate our approach from different aspects. This method has been clearly validated on a range of standard datasets including MNIST, CIFAR-10, and SVHN. The assessment strongly reflects the robustness and pervasive of this approach in the face of various white and semi-white box attacks. INDEX TERMS Artificial neural networks, machine learning, data security, computer hacking, detection algorithms.

show abstract

Protecting JPEG Images Against Adversarial Attacks

Cited by 24 publications

References 13 publications

Disentangling Adversarial Robustness and Generalization

Disentangling Adversarial Robustness and Generalization

Patch Replacement

Robust Pervasive Detection for Adversarial Samples of Artificial Intelligence in IoT Environments

Contact Info

Product

Resources

About