Adaptive patch transformation for adversarial defense

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-02-15 DOI:10.1016/j.cose.2025.104368

Xin Zhang , Shijie Xiao , Han Zhang , Lixia Ji

{"title":"Adaptive patch transformation for adversarial defense","authors":"Xin Zhang , Shijie Xiao , Han Zhang , Lixia Ji","doi":"10.1016/j.cose.2025.104368","DOIUrl":null,"url":null,"abstract":"<div><div>Deep learning models are vulnerable to adversarial attacks. Although various defense methods have been proposed, such as incorporating perturbations during training, removing them in preprocessing steps or using image-to-image mapping to counter these attacks, these methods often struggle to robustly defend against diverse adversarial attacks and may affect the model’s predictions on normal samples. To address this issue, we propose an adversarial example defense method based on image transformation. First, we designed an image transformation combiner that integrates multiple image transformations for defending against adversarial examples, thereby enhancing the robustness of the method. Second, we divide the image into patches and apply different combinations of image transformations to each patch to ensure the retention of useful information and increase the flexibility of the transformations. We combined 12 geometric or color transformations using the image transformation combiner and tested it on adversarial examples generated from the MNIST, CIFAR - 10, and ImageNet datasets. Experimental results show that our method outperforms other advanced detection methods in terms of accuracy and effectively mitigates the impact of adversarial perturbations on the model.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"153 ","pages":"Article 104368"},"PeriodicalIF":4.8000,"publicationDate":"2025-02-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000574","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Deep learning models are vulnerable to adversarial attacks. Although various defense methods have been proposed, such as incorporating perturbations during training, removing them in preprocessing steps or using image-to-image mapping to counter these attacks, these methods often struggle to robustly defend against diverse adversarial attacks and may affect the model’s predictions on normal samples. To address this issue, we propose an adversarial example defense method based on image transformation. First, we designed an image transformation combiner that integrates multiple image transformations for defending against adversarial examples, thereby enhancing the robustness of the method. Second, we divide the image into patches and apply different combinations of image transformations to each patch to ensure the retention of useful information and increase the flexibility of the transformations. We combined 12 geometric or color transformations using the image transformation combiner and tested it on adversarial examples generated from the MNIST, CIFAR - 10, and ImageNet datasets. Experimental results show that our method outperforms other advanced detection methods in terms of accuracy and effectively mitigates the impact of adversarial perturbations on the model.

查看原文本刊更多论文

对抗性防御的自适应补丁变换

深度学习模型容易受到对抗性攻击。尽管已经提出了各种防御方法，例如在训练期间合并扰动，在预处理步骤中去除扰动或使用图像到图像映射来对抗这些攻击，但这些方法通常难以强大地防御各种对抗性攻击，并可能影响模型对正常样本的预测。为了解决这一问题，我们提出了一种基于图像变换的对抗性示例防御方法。首先，我们设计了一个图像变换组合器，它集成了多个图像变换来防御对抗样本，从而增强了方法的鲁棒性。其次，我们将图像分割成小块，并对每个小块应用不同的图像变换组合，以保证有用信息的保留，增加变换的灵活性；我们使用图像转换组合器组合了12种几何或颜色转换，并在从MNIST、CIFAR - 10和ImageNet数据集生成的对抗性示例上进行了测试。实验结果表明，我们的方法在精度上优于其他先进的检测方法，并有效地减轻了对抗性扰动对模型的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.