Gradient semi-masking for improving adversarial robustness

IF 7.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Pattern Recognition Pub Date : 2025-09-10 DOI:10.1016/j.patcog.2025.112433

Xinlei Liu , Tao Hu , Peng Yi , Baolin Li , Jichao Xie , Hailong Ma

{"title":"Gradient semi-masking for improving adversarial robustness","authors":"Xinlei Liu , Tao Hu , Peng Yi , Baolin Li , Jichao Xie , Hailong Ma","doi":"10.1016/j.patcog.2025.112433","DOIUrl":null,"url":null,"abstract":"<div><div>In gradient masking, certain complex signal processing and probabilistic optimization strategies exhibit favorable characteristics such as nonlinearity, irreversibility, and feature preservation, thereby providing new solutions for adversarial defense. Inspired by this, this paper proposes a plug-and-play <strong>gradient semi-masking module</strong> (<strong>GSeM</strong>) to improve the adversarial robustness of neural networks. GSeM primarily contains a feature straight-through pathway that allows for normal gradient propagation and a feature mapping pathway that interrupts gradient flow. The multi-pathway and semi-masking characteristics cause GSeM to exhibit opposing behaviors when processing data and gradients. Specifically, during data processing, GSeM compresses the state space of features while introducing white noise augmentation. However, during gradient processing, it leads to inefficient updates to certain parameters and ineffective generation of training examples. To address this shortcoming, we correct gradient propagation and introduce gradient-corrected adversarial training. Extensive experiments demonstrate that GSeM differs fundamentally from earlier gradient masking methods: it can genuinely enhance the adversarial defense performance of neural networks, surpassing previous state-of-the-art approaches.</div></div>","PeriodicalId":49713,"journal":{"name":"Pattern Recognition","volume":"172 ","pages":"Article 112433"},"PeriodicalIF":7.6000,"publicationDate":"2025-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Pattern Recognition","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0031320325010945","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

In gradient masking, certain complex signal processing and probabilistic optimization strategies exhibit favorable characteristics such as nonlinearity, irreversibility, and feature preservation, thereby providing new solutions for adversarial defense. Inspired by this, this paper proposes a plug-and-play gradient semi-masking module (GSeM) to improve the adversarial robustness of neural networks. GSeM primarily contains a feature straight-through pathway that allows for normal gradient propagation and a feature mapping pathway that interrupts gradient flow. The multi-pathway and semi-masking characteristics cause GSeM to exhibit opposing behaviors when processing data and gradients. Specifically, during data processing, GSeM compresses the state space of features while introducing white noise augmentation. However, during gradient processing, it leads to inefficient updates to certain parameters and ineffective generation of training examples. To address this shortcoming, we correct gradient propagation and introduce gradient-corrected adversarial training. Extensive experiments demonstrate that GSeM differs fundamentally from earlier gradient masking methods: it can genuinely enhance the adversarial defense performance of neural networks, surpassing previous state-of-the-art approaches.

查看原文本刊更多论文

提高对抗鲁棒性的梯度半掩蔽

在梯度掩蔽中，某些复杂信号处理和概率优化策略表现出非线性、不可逆性和特征保持性等良好特性，从而为对抗防御提供了新的解决方案。受此启发，本文提出了一种即插即用的梯度半掩蔽模块（GSeM）来提高神经网络的对抗鲁棒性。GSeM主要包含一个允许正常梯度传播的特征直通路径和一个中断梯度流的特征映射路径。多通路和半掩蔽特性导致GSeM在处理数据和梯度时表现出相反的行为。具体来说，在数据处理过程中，GSeM压缩特征的状态空间，同时引入白噪声增强。然而，在梯度处理过程中，某些参数的更新效率低下，训练样例的生成效率低下。为了解决这个缺点，我们纠正了梯度传播并引入了梯度校正对抗训练。大量的实验表明，GSeM与早期的梯度掩蔽方法有根本的不同：它可以真正增强神经网络的对抗防御性能，超越了以前最先进的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Pattern Recognition 工程技术-工程：电子与电气

CiteScore

14.40

自引率

16.20%

发文量

683

审稿时长

5.6 months

期刊介绍： The field of Pattern Recognition is both mature and rapidly evolving, playing a crucial role in various related fields such as computer vision, image processing, text analysis, and neural networks. It closely intersects with machine learning and is being applied in emerging areas like biometrics, bioinformatics, multimedia data analysis, and data science. The journal Pattern Recognition, established half a century ago during the early days of computer science, has since grown significantly in scope and influence.