Evidence-based Multi-Feature Fusion for Adversarial Robustness.

IF 20.8 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

IEEE Transactions on Pattern Analysis and Machine Intelligence Pub Date : 2025-06-23 DOI:10.1109/tpami.2025.3582518

Zheng Wang,Xing Xu,Lei Zhu,Yi Bin,Guoqing Wang,Yang Yang,Heng Tao Shen

{"title":"Evidence-based Multi-Feature Fusion for Adversarial Robustness.","authors":"Zheng Wang,Xing Xu,Lei Zhu,Yi Bin,Guoqing Wang,Yang Yang,Heng Tao Shen","doi":"10.1109/tpami.2025.3582518","DOIUrl":null,"url":null,"abstract":"The accumulation of adversarial perturbations in the feature space makes it impossible for Deep Neural Networks (DNNs) to know what features are robust and reliable, and thus DNNs can be fooled by relying on a single contaminated feature. Numerous defense strategies attempt to improve their robustness by denoising, deactivating, or recalibrating non-robust features. Despite their effectiveness, we still argue that these methods are under-explored in terms of determining how trustworthy the features are. To address this issue, we propose a novel Evidence-based Multi-Feature Fusion (termed EMFF) for adversarial robustness. Specifically, our EMFF approach introduces evidential deep learning to help DNNs quantify the belief mass and uncertainty of the contaminated features. Subsequently, a novel multi-feature evidential fusion mechanism based on Dempster's rule is proposed to fuse the trusted features of multiple blocks within an architecture, which further helps DNNs avoid the induction of a single manipulated feature and thus improve their robustness. Comprehensive experiments confirm that compared with existing defense techniques, our novel EMFF method has obvious advantages and effectiveness in both scenarios of white-box and black-box attacks, and also prove that by integrating into several adversarial training strategies, we can improve the robustness of across distinct architectures, including traditional CNNs and recent vision Transformers with a few extra parameters and almost the same cost.","PeriodicalId":13426,"journal":{"name":"IEEE Transactions on Pattern Analysis and Machine Intelligence","volume":"269 1","pages":""},"PeriodicalIF":20.8000,"publicationDate":"2025-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Pattern Analysis and Machine Intelligence","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/tpami.2025.3582518","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

The accumulation of adversarial perturbations in the feature space makes it impossible for Deep Neural Networks (DNNs) to know what features are robust and reliable, and thus DNNs can be fooled by relying on a single contaminated feature. Numerous defense strategies attempt to improve their robustness by denoising, deactivating, or recalibrating non-robust features. Despite their effectiveness, we still argue that these methods are under-explored in terms of determining how trustworthy the features are. To address this issue, we propose a novel Evidence-based Multi-Feature Fusion (termed EMFF) for adversarial robustness. Specifically, our EMFF approach introduces evidential deep learning to help DNNs quantify the belief mass and uncertainty of the contaminated features. Subsequently, a novel multi-feature evidential fusion mechanism based on Dempster's rule is proposed to fuse the trusted features of multiple blocks within an architecture, which further helps DNNs avoid the induction of a single manipulated feature and thus improve their robustness. Comprehensive experiments confirm that compared with existing defense techniques, our novel EMFF method has obvious advantages and effectiveness in both scenarios of white-box and black-box attacks, and also prove that by integrating into several adversarial training strategies, we can improve the robustness of across distinct architectures, including traditional CNNs and recent vision Transformers with a few extra parameters and almost the same cost.

查看原文本刊更多论文

基于证据的多特征融合对抗鲁棒性。

特征空间中对抗性扰动的积累使得深度神经网络（dnn）不可能知道哪些特征是鲁棒和可靠的，因此dnn可能被依赖于单个受污染的特征所愚弄。许多防御策略试图通过去噪、去激活或重新校准非鲁棒特征来提高其鲁棒性。尽管它们很有效，但我们仍然认为这些方法在确定特征的可信度方面还没有得到充分的探索。为了解决这个问题，我们提出了一种新的基于证据的多特征融合（称为EMFF）对抗鲁棒性。具体来说，我们的EMFF方法引入了证据深度学习来帮助dnn量化受污染特征的置信质量和不确定性。随后，提出了一种基于Dempster规则的多特征证据融合机制，融合一个体系结构内多个块的可信特征，进一步避免了单个被操纵特征的诱导，从而提高了dnn的鲁棒性。综合实验证明，与现有的防御技术相比，EMFF方法在白盒攻击和黑盒攻击两种情况下都具有明显的优势和有效性，并证明了通过集成多种对抗训练策略，我们可以提高跨不同架构的鲁棒性，包括传统的cnn和最近的视觉变形器，只需额外的几个参数和几乎相同的成本。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Pattern Analysis and Machine Intelligence 工程技术-工程：电子与电气

CiteScore

28.40

自引率

3.00%

发文量

885

审稿时长

8.5 months

期刊介绍： The IEEE Transactions on Pattern Analysis and Machine Intelligence publishes articles on all traditional areas of computer vision and image understanding, all traditional areas of pattern analysis and recognition, and selected areas of machine intelligence, with a particular emphasis on machine learning for pattern analysis. Areas such as techniques for visual search, document and handwriting analysis, medical image analysis, video and image sequence analysis, content-based retrieval of image and video, face and gesture recognition and relevant specialized hardware and/or software architectures are also covered.