微信服务号

微信订阅号

2025-4-24- 11
Home > Archive>Volume 31, Issue 9, 2020 >2756-2769. DOI:10.13328/j.cnki.jos.005943
PDF HTML XML Export Cite reminder
Improving Adversarial Robustness on Single Model via Feature Fusion and Ensemble Diversity
Author:
Affiliation:

Fund Project:

National Key Research and Development Program of China (2018YFB2101300); National Natural Science Foundation of China (61872147)

  • Article
    • | |
  • Metrics
    • |
  • Reference [31]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    It is an inevitable trend to use deep neural network to process the massive image data generated by the rapid increase of Internet of Things (IoT) devices. However, as the DNN is vulnerable to adversarial examples, it is easy to be attacked and would endanger the security of the IoT. So how to improve the robustness of the model has become an important topic. Usually, the defensive performance of the ensemble model is better than the single model, but the limited computing power of the IoT device makes the ensemble model difficult to apply. Therefore, this study proposes a novel model transformation and training method on a single model to achieve similar defense effect like ensemble model: adding additional branches to the base model; using feature pyramids to fuse features; and introducing ensemble diversity for training. Experiments on the common datasets, like MNIST and CIFAR-10, show that this method can significantly improve the robustness. The accuracy increases more than fivefold against four gradient-based attacks such as FGSM, and can be up to 10 times while against JSMA, C&W, and EAD. This method does not disturb the classification of clean examples, and could obtain better performance while combining adversarial training.

    Reference
    [1] Lueth KL. State of the IoT 2018:Number of IoT devices now at 7B-Market accelerating. IOT ANALYTICS. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/
    [2] Dourado Jr CM, da Silva SP, da Nóbrega RV, Barros AC, Rebouças Filho PP, de Albuquerqu VH. Deep learning IoT system for online stroke detection in skull computed tomography images. Computer Networks, 2019,152:25-39.
    [3] Mookherji S, Sankaranarayanan S. Traffic data classification for security in IoT-based road signaling system. In:Proc. of the Soft Computing in Data Analytics. 2019.589-599.
    [4] Rodrigues JD, Rebouças Filho PP, Peixoto Jr E, Kumar A, de Albuquerque VH. Classification of EEG signals to detect alcoholism using machine learning techniques. Pattern Recognition Letters, 2019,125:140-149.
    [5] Zhang Y, Li PS, Wang XH. Intrusion detection for IoT based on improved genetic algorithm and deep belief network. IEEE Access, 2019,7:31711-31722.
    [6] Athalye A, Carlini N, Wagner D. Obfuscated gradients give a false sense of security:Circumventing defenses to adversarial examples. In:Proc. of the Int'l Conf. on Machine Learning (ICML). 2018.274-283.
    [7] Lu J, Issaranon T, Forsyth D. Safetynet:Detecting and rejecting adversarial examples robustly. In:Proc. of the 2017 IEEE Int'l Conf. on Computer Vision (ICCV). 2017.446-454.
    [8] Metzen JH, Genewein T, Fischer V, Bischoff B. On detecting adversarial perturbations. In:Proc. of Int'l Conf. on Learning Representations (ICLR). 2017.
    [9] Carlini N, Wagner D. Adversarial examples are not easily detected:Bypassing ten detection methods. In:Proc. of the 10th ACM Workshop on Artificial Intelligence and Security. 2017.3-14.
    [10] Liao FZ, Liang M, Dong YP, Pang TY, Zhu J, Hu XL. Defense against adversarial attacks using high-level representation guided denoiser. In:Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). 2018.1778-1787.
    [11] Pang TY, Xu K, Du C, Chen N, Zhu J. Improving adversarial robustness via promoting ensemble diversity. In:Proc. of Int'l Conf. on Machine Learning (ICML). 2019.4970-4979.
    [12] Teerapittayanon S, McDanel B, Kung H. BranchyNet:Fast inference via early exiting from deep neural networks. In:Proc. of the IEEE Int'l Conf. Pattern Recognition (ICPR). 2016.2464-2469.
    [13] Lin TY, Dollár P, Girshick R, He K, Hariharan B, Belongie S. Feature pyramid networks for object detection. In:Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). 2017.936-944.
    [14] He KM, Zhang XY, Ren SQ, Sun J. Deep residual learning for image recognition. In:Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). 2016.770-778.
    [15] Ranjan R, Sankaranarayanan S, Castillo CD, Chellappa R. Improving network robustness against adversarial attacks with compact convolution. arXiv preprint arXiv:1712.00699, 2017.
    [16] Miyato T, Maeda SI, Koyama M, Ishii S. Virtual adversarial training:A regularization method for supervised and semi-supervised learning. IEEE Trans. on Pattern Analysis and Machine Intelligence, 2018,41(8):1979-1993.
    [17] Kurakin A, Goodfellow I, Bengio S. Adversarial machine learning at scale. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2017.
    [18] Kurakin A, Goodfellow I, Bengio S, Dong YP, Liao FZ, Liang M, Pang TY,Zhu J, Hu, XL, Xie CH, et al. Adversarial attacks and defences competition. In:Proc. of the NIPS 2017 Competition:Building Intelligent Systems. Cham:Springer-Verlag, 2018.195-231.
    [19] Samangouei P, Kabkab M, Chellappa R. Defense-Gan:Protecting classifiers against adversarial attacks using generative models. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2018.
    [20] Guo C, Rana M, Cisse M, Van Der Maaten L. Countering adversarial images using input transformations. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2018.
    [21] Lamb A, Binas J, Goyal A, Serdyuk D, Subramanian S, Mitliagkas I, Bengio Y. Fortified networks:Improving the robustness of deep networks by modeling the manifold of hidden representations. arXiv preprint arXiv:1804.02485, 2018.
    [22] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2015.
    [23] Kurakin A, Goodfellow IJ, Bengio S. Adversarial examples in the physical world. In:Proc. of the Int'l Conf. on Learning Representations (ICLR) Workshop. 2017.
    [24] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In:Proc. of the Int'l Conf. on Learning Representations (ICLR). 2018.
    [25] Dong YP, Liao FZ, Pang TY, Su H, Hu XL, Li JG, Zhu J. Boosting adversarial attacks with momentum. In:Proc. of the IEEE Conf. on Computer Vision and Pattern Recognition (CVPR). 2018.9185-9193.
    [26] Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In:Proc. of the 2016 IEEE European Symp. on Security and Privacy (EuroS&p). 2016.372-387.
    [27] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In:Proc. of the 2017 IEEE Symp. on Security and Privacy (S&P). 2017.39-57.
    [28] Chen PY, Sharma Y, Zhang H, Yi JF, Hsieh CJ. Ead:Elastic-net attacks to deep neural networks via adversarial examples. In:Proc. of the AAAI Conf. on Artificial Intelligence (AAAI). 2018.10-17.
    [29] Maaten L, Hinton G. Visualizing data using t-SNE. Journal of Machine Learning Research, 2008,9:2579-2605.
    [30] Abadi M, Barham P, Chen J, Chen Z, Davis A, Dean J, Devin M, Ghemawat S, Irving G, Isard M, Kudlur M. Tensorflow:A system for large-scale machine learning. In:Proc. of the 12th USENIX Symp. on Operating Systems Design and Implementation (OSDI). 2016.265-283.
    [31] Papernot N, Faghri F, Carlini N, Goodfellow I, Feinman R, Kurakin A, Xie C, Sharma Y, Brown T, Roy A, Matyasko A. Technical report on the cleverhans v2.1.0 adversarial examples library. arXiv preprint arXiv:1610.00768, 2016.
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

韦璠,宋云飞,邵明莉,刘天,陈小红,王祥丰,陈铭松.利用特征融合和整体多样性提升单模型鲁棒性.软件学报,2020,31(9):2756-2769

Copy
Share
Article Metrics
  • Abstract:3475
  • PDF: 6632
  • HTML: 3573
  • Cited by: 0
History
  • Received:July 01,2019
  • Revised:August 18,2019
  • Online: January 17,2020
  • Published: September 06,2020
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2038013Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063