View Complete Reference

Zago, JG (2021)

Defense Methods for Convolutional Neural Networks Against Adversarial Attacks

Masters Thesis, Federal University of Santa Catarina, Florianópolis, Brazil.

ISSN/ISBN: Not available at this time. DOI: Not available at this time.

Abstract: Despite its success in image classification, Convolutional Neural Networks (CNN) are still fragile to small perturbations in the input images they have to classify: slight changes in the values of some pixels might result in completely different network outputs. Such images purposefully perturbed to deceive a classifier are known as adversarial images. This vulnerability of CNN to adversarial images raises concerns in safety-sensitive applications: involving life-threatening, environmental, or financial implications. This thesis proposes two computationally cheap and complementary methods to help circumvent and alleviate this fragility of CNN: a) a novel strategy that reduces the success of adversarial attacks by obfuscating the softmax output, which does not require any network training; and b) a method that employs Benford's Law for distinguishing transformed natural images from transformed adversarial ones at the pixel level, providing an extra shield acting at the input layer of vulnerable CNN. The defense we developed in (a) not only decreases the attack success rate but also forces the attack algorithm to insert larger perturbations in the input images. The study conducted in (b) indicates that: 1) adversarial images tend to deviate significantly more from Benford's distribution than unaltered images; 2) this deviation increases with the magnitude of the perturbation; 3) in some cases, it is possible to identify ongoing attacks by online monitoring this deviation, making it possible to turn off the classifier for the particular requester before it completes an attack. Finally, these two methods are orthogonal in that we expect the CNN classifier to get better protection against attacks while using them simultaneously.

@mastersThesis{, AUTHOR = {Zago, João Gabriel}, TITLE = {Defense methods for convolutional neural networks against adversarial attacks}, SCHOOL = {Federal University of Santa Catarina}, ADDRESS = {Florianópolis, Brazil}, YEAR = {2021}, URL = {}, }

Reference Type: Thesis

Subject Area(s): Computer Science, Image Processing