Detection and Correction of Adversarial Examples Based on IPEG-Compression-Derived Distortion

2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC) Pub Date : 2022-11-07 DOI:10.23919/APSIPAASC55919.2022.9980147

Kenta Tsunomori, Yuma Yamasaki, M. Kuribayashi, N. Funabiki, I. Echizen

{"title":"Detection and Correction of Adversarial Examples Based on IPEG-Compression-Derived Distortion","authors":"Kenta Tsunomori, Yuma Yamasaki, M. Kuribayashi, N. Funabiki, I. Echizen","doi":"10.23919/APSIPAASC55919.2022.9980147","DOIUrl":null,"url":null,"abstract":"An effective way to defend against adversarial examples (AEs), which are used, for example, to attack applications such as face recognition, is to detect in advance whether an input image is an AE. Some AE defense methods focus on the response characteristics of image classifiers when denoising filters are applied to the input image. However, several filters are required, which results in a large amount of computation. Because JPEG compression of AEs effectively removes adversarial perturbations, the difference between the image before and after JPEG compression should be highly correlated with the perturbations. However, the difference should not be completely consistent with adversarial perturbations. We have developed a filtering operation that modulates this difference by varying their magnitude and positive/negative sign and adding them to an image so that adversarial perturbations can be effectively removed. We consider that adversarial perturbations that could not be removed by simply applying JPEG compression can be removed by modulating this difference. Furthermore, applying a resizing process to the image after adding these distortions enables us to remove perturbations that could not be removed otherwise. The filtering operation will successfully remove the adversarial noise and reconstruct the corrected samples from AEs. We also consider a simple but effective reconstruction method based on the filtering operations. Experiments in which the adversarial attack used was not known to the detector demonstrated that the proposed method could achieve better performance in terms of accuracy with reasonable computational complexity. In addition, the percentage of correct classification results after applying the proposed filter for non-targeted attacks was higher than that of JPEG compression and scaling. These results suggest that the proposed method effectively removes adversarial perturbations and is an effective filter for detecting AEs.","PeriodicalId":382967,"journal":{"name":"2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC)","volume":"43 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/APSIPAASC55919.2022.9980147","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

An effective way to defend against adversarial examples (AEs), which are used, for example, to attack applications such as face recognition, is to detect in advance whether an input image is an AE. Some AE defense methods focus on the response characteristics of image classifiers when denoising filters are applied to the input image. However, several filters are required, which results in a large amount of computation. Because JPEG compression of AEs effectively removes adversarial perturbations, the difference between the image before and after JPEG compression should be highly correlated with the perturbations. However, the difference should not be completely consistent with adversarial perturbations. We have developed a filtering operation that modulates this difference by varying their magnitude and positive/negative sign and adding them to an image so that adversarial perturbations can be effectively removed. We consider that adversarial perturbations that could not be removed by simply applying JPEG compression can be removed by modulating this difference. Furthermore, applying a resizing process to the image after adding these distortions enables us to remove perturbations that could not be removed otherwise. The filtering operation will successfully remove the adversarial noise and reconstruct the corrected samples from AEs. We also consider a simple but effective reconstruction method based on the filtering operations. Experiments in which the adversarial attack used was not known to the detector demonstrated that the proposed method could achieve better performance in terms of accuracy with reasonable computational complexity. In addition, the percentage of correct classification results after applying the proposed filter for non-targeted attacks was higher than that of JPEG compression and scaling. These results suggest that the proposed method effectively removes adversarial perturbations and is an effective filter for detecting AEs.

查看原文本刊更多论文

基于ipeg压缩失真的对抗性样本检测与校正

对抗对抗示例(例如，用于攻击人脸识别等应用程序)的一种有效方法是提前检测输入图像是否为AE。一些声发射防御方法关注的是对输入图像施加去噪滤波器时图像分类器的响应特性。然而，需要几个过滤器，这导致了大量的计算。由于AEs的JPEG压缩有效地消除了对抗性扰动，因此JPEG压缩前后图像之间的差异应该与扰动高度相关。然而，这种差异不应与对抗性扰动完全一致。我们已经开发了一种过滤操作，通过改变它们的大小和正负号来调节这种差异，并将它们添加到图像中，这样就可以有效地去除对抗性扰动。我们认为，通过简单地应用JPEG压缩不能消除的对抗性扰动可以通过调制这种差异来消除。此外，在添加这些扭曲后对图像应用调整大小过程使我们能够消除其他方法无法消除的扰动。滤波操作将成功地去除对抗噪声，并从ae中重建校正后的样本。我们还考虑了一种简单而有效的基于滤波运算的重建方法。实验结果表明，该方法在不知道检测器所使用的对抗性攻击的情况下，在计算复杂度合理的情况下，在准确率方面取得了较好的性能。此外，对于非目标攻击，应用该滤波器后的分类结果正确率高于JPEG压缩和缩放。这些结果表明，该方法有效地消除了对抗性扰动，是检测AEs的有效滤波器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC)

自引率

0.00%

发文量