Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination
Abstract Neural networks are vulnerable to meticulously crafted adversarial examples, leading to high-confidence misclassifications in image classification tasks. Due to their consistency with regular input patterns and the absence of reliance on the target model and its output information, transfer...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Springer
2025-01-01
|
| Series: | Complex & Intelligent Systems |
| Subjects: | |
| Online Access: | https://doi.org/10.1007/s40747-024-01770-z |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1823861487376007168 |
|---|---|
| author | Xinlei Liu Jichao Xie Tao Hu Peng Yi Yuxiang Hu Shumin Huo Zhen Zhang |
| author_facet | Xinlei Liu Jichao Xie Tao Hu Peng Yi Yuxiang Hu Shumin Huo Zhen Zhang |
| author_sort | Xinlei Liu |
| collection | DOAJ |
| description | Abstract Neural networks are vulnerable to meticulously crafted adversarial examples, leading to high-confidence misclassifications in image classification tasks. Due to their consistency with regular input patterns and the absence of reliance on the target model and its output information, transferable adversarial attacks exhibit a notably high stealthiness and detection difficulty, making them a significant focus of defense. In this work, we propose a deep learning defense known as multi-source adversarial perturbations elimination (MAPE) to counter diverse transferable attacks. MAPE comprises the single-source adversarial perturbation elimination (SAPE) mechanism and the pre-trained models probabilistic scheduling algorithm (PPSA). SAPE utilizes a thoughtfully designed channel-attention U-Net as the defense model and employs adversarial examples generated by a pre-trained model (e.g., ResNet) for its training, thereby enabling the elimination of known adversarial perturbations. PPSA introduces model difference quantification and negative momentum to strategically schedule multiple pre-trained models, thereby maximizing the differences among adversarial examples during the defense model’s training and enhancing its robustness in eliminating adversarial perturbations. MAPE effectively eliminates adversarial perturbations in various adversarial examples, providing a robust defense against attacks from different substitute models. In a black-box attack scenario utilizing ResNet-34 as the target model, our approach achieves average defense rates of over 95.1% on CIFAR-10 and over 71.5% on Mini-ImageNet, demonstrating state-of-the-art performance. |
| format | Article |
| id | doaj-art-a03c1f65307e48579077bd5ef91630cd |
| institution | Kabale University |
| issn | 2199-4536 2198-6053 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | Springer |
| record_format | Article |
| series | Complex & Intelligent Systems |
| spelling | doaj-art-a03c1f65307e48579077bd5ef91630cd2025-02-09T13:01:06ZengSpringerComplex & Intelligent Systems2199-45362198-60532025-01-0111211710.1007/s40747-024-01770-zMape: defending against transferable adversarial attacks using multi-source adversarial perturbations eliminationXinlei Liu0Jichao Xie1Tao Hu2Peng Yi3Yuxiang Hu4Shumin Huo5Zhen Zhang6Information Engineering UniversityInformation Engineering UniversityInformation Engineering UniversityInformation Engineering UniversityInformation Engineering UniversityInformation Engineering UniversityInformation Engineering UniversityAbstract Neural networks are vulnerable to meticulously crafted adversarial examples, leading to high-confidence misclassifications in image classification tasks. Due to their consistency with regular input patterns and the absence of reliance on the target model and its output information, transferable adversarial attacks exhibit a notably high stealthiness and detection difficulty, making them a significant focus of defense. In this work, we propose a deep learning defense known as multi-source adversarial perturbations elimination (MAPE) to counter diverse transferable attacks. MAPE comprises the single-source adversarial perturbation elimination (SAPE) mechanism and the pre-trained models probabilistic scheduling algorithm (PPSA). SAPE utilizes a thoughtfully designed channel-attention U-Net as the defense model and employs adversarial examples generated by a pre-trained model (e.g., ResNet) for its training, thereby enabling the elimination of known adversarial perturbations. PPSA introduces model difference quantification and negative momentum to strategically schedule multiple pre-trained models, thereby maximizing the differences among adversarial examples during the defense model’s training and enhancing its robustness in eliminating adversarial perturbations. MAPE effectively eliminates adversarial perturbations in various adversarial examples, providing a robust defense against attacks from different substitute models. In a black-box attack scenario utilizing ResNet-34 as the target model, our approach achieves average defense rates of over 95.1% on CIFAR-10 and over 71.5% on Mini-ImageNet, demonstrating state-of-the-art performance.https://doi.org/10.1007/s40747-024-01770-zDeep learning securityPattern recognitionImage classificationAdversarial exampleAdversarial defense |
| spellingShingle | Xinlei Liu Jichao Xie Tao Hu Peng Yi Yuxiang Hu Shumin Huo Zhen Zhang Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination Complex & Intelligent Systems Deep learning security Pattern recognition Image classification Adversarial example Adversarial defense |
| title | Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination |
| title_full | Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination |
| title_fullStr | Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination |
| title_full_unstemmed | Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination |
| title_short | Mape: defending against transferable adversarial attacks using multi-source adversarial perturbations elimination |
| title_sort | mape defending against transferable adversarial attacks using multi source adversarial perturbations elimination |
| topic | Deep learning security Pattern recognition Image classification Adversarial example Adversarial defense |
| url | https://doi.org/10.1007/s40747-024-01770-z |
| work_keys_str_mv | AT xinleiliu mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT jichaoxie mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT taohu mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT pengyi mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT yuxianghu mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT shuminhuo mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination AT zhenzhang mapedefendingagainsttransferableadversarialattacksusingmultisourceadversarialperturbationselimination |