Adversarial example defense algorithm for MNIST based on image reconstruction
With the popularization of deep learning, more and more attention has been paid to its security issues. The adversarial sample is to add a small disturbance to the original image, which can cause the deep learning model to misclassify the image, which seriously affects the performance of deep learni...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2022-02-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2021095 |
| _version_ | 1818138621545283584 |
|---|---|
| author | QIN Zhongyuan, HE Zhaoxiang LI Tao, CHEN Liquan |
| author_facet | QIN Zhongyuan, HE Zhaoxiang LI Tao, CHEN Liquan |
| author_sort | QIN Zhongyuan, HE Zhaoxiang |
| collection | DOAJ |
| description | With the popularization of deep learning, more and more attention has been paid to its security issues. The adversarial sample is to add a small disturbance to the original image, which can cause the deep learning model to misclassify the image, which seriously affects the performance of deep learning technology. To address this challenge, the attack form and harm of the existing adversarial samples were analyzed. An adversarial examples defense method based on image reconstruction was proposed to effectively detect adversarial examples. The defense method used MNIST as the test data set. The core idea was image reconstruction, including central variance minimization and image quilting optimization. The central variance minimization was only processed for the central area of the image. The image quilting optimization incorporated the overlapping area into the patch block selection. Considered and took half the size of the patch as the overlap area. Using FGSM, BIM, DeepFool and C&W attack methods to generate adversarial samples to test the defense performance of the two methods, and compare with the existing three image reconstruction defense methods (cropping and scaling, bit depth compression and JPEG compression). The experimental results show that the central variance minimization and image quilting optimization algorithms proposed have a satisfied defense effect against the attacks of existing common adversarial samples. Image quilting optimization achieves over 75% classification accuracy for samples generated by the four attack algorithms, and the defense effect of minimizing central variance is around 70%. The three image reconstruction algorithms used for comparison have unstable defense effects on different attack algorithms, and the overall classification accuracy rate is less than 60%. The central variance minimization and image quilting optimization proposed achieve the purpose of effectively defending against adversarial samples. The experiments illustrate the defense effect of the proposed defense algorithm in different adversarial sample attack algorithms. The comparison between the reconstruction algorithm and the algorithm shows that the proposed scheme has good defense performance. |
| first_indexed | 2024-12-11T10:15:07Z |
| format | Article |
| id | doaj.art-dc84b8748b2a4f6ea0ae3dcb16d69400 |
| institution | Directory Open Access Journal |
| issn | 2096-109X |
| language | English |
| last_indexed | 2024-12-11T10:15:07Z |
| publishDate | 2022-02-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj.art-dc84b8748b2a4f6ea0ae3dcb16d694002022-12-22T01:11:38ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2022-02-0181869410.11959/j.issn.2096−109x.2021095Adversarial example defense algorithm for MNIST based on image reconstructionQIN Zhongyuan, HE Zhaoxiang0 LI Tao, CHEN Liquan1School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China School of Cyber Science and Engineering, Southeast University, Nanjing 211189, China ; Network Communication and Security Purple Mountain Laboratory, Nanjing 211189, ChinaWith the popularization of deep learning, more and more attention has been paid to its security issues. The adversarial sample is to add a small disturbance to the original image, which can cause the deep learning model to misclassify the image, which seriously affects the performance of deep learning technology. To address this challenge, the attack form and harm of the existing adversarial samples were analyzed. An adversarial examples defense method based on image reconstruction was proposed to effectively detect adversarial examples. The defense method used MNIST as the test data set. The core idea was image reconstruction, including central variance minimization and image quilting optimization. The central variance minimization was only processed for the central area of the image. The image quilting optimization incorporated the overlapping area into the patch block selection. Considered and took half the size of the patch as the overlap area. Using FGSM, BIM, DeepFool and C&W attack methods to generate adversarial samples to test the defense performance of the two methods, and compare with the existing three image reconstruction defense methods (cropping and scaling, bit depth compression and JPEG compression). The experimental results show that the central variance minimization and image quilting optimization algorithms proposed have a satisfied defense effect against the attacks of existing common adversarial samples. Image quilting optimization achieves over 75% classification accuracy for samples generated by the four attack algorithms, and the defense effect of minimizing central variance is around 70%. The three image reconstruction algorithms used for comparison have unstable defense effects on different attack algorithms, and the overall classification accuracy rate is less than 60%. The central variance minimization and image quilting optimization proposed achieve the purpose of effectively defending against adversarial samples. The experiments illustrate the defense effect of the proposed defense algorithm in different adversarial sample attack algorithms. The comparison between the reconstruction algorithm and the algorithm shows that the proposed scheme has good defense performance.http://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2021095adversarial exampleimage reconstructiondeep learningimage classification |
| spellingShingle | QIN Zhongyuan, HE Zhaoxiang LI Tao, CHEN Liquan Adversarial example defense algorithm for MNIST based on image reconstruction 网络与信息安全学报 adversarial example image reconstruction deep learning image classification |
| title | Adversarial example defense algorithm for MNIST based on image reconstruction |
| title_full | Adversarial example defense algorithm for MNIST based on image reconstruction |
| title_fullStr | Adversarial example defense algorithm for MNIST based on image reconstruction |
| title_full_unstemmed | Adversarial example defense algorithm for MNIST based on image reconstruction |
| title_short | Adversarial example defense algorithm for MNIST based on image reconstruction |
| title_sort | adversarial example defense algorithm for mnist based on image reconstruction |
| topic | adversarial example image reconstruction deep learning image classification |
| url | http://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2021095 |
| work_keys_str_mv | AT qinzhongyuanhezhaoxiang adversarialexampledefensealgorithmformnistbasedonimagereconstruction AT litaochenliquan adversarialexampledefensealgorithmformnistbasedonimagereconstruction |