Block-wise Image Transformation with Secret Key for Adversarially Robust Defense

• URL: http://arxiv.org/abs/2010.00801v1
• Date: Fri, 2 Oct 2020 06:07:12 GMT
• Title: Block-wise Image Transformation with Secret Key for Adversarially Robust Defense
• Authors: MaungMaung AprilPyone, Hitoshi Kiya
• Abstract summary: We develop three algorithms to realize the proposed transformation: Pixel Shuffling, Bit Flipping, and FFX Encryption. Experiments were carried out on the CIFAR-10 and ImageNet datasets by using both black-box and white-box attacks. The proposed defense achieves high accuracy close to that of using clean images even under adaptive attacks for the first time.
• Score: 17.551718914117917
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: In this paper, we propose a novel defensive transformation that enables us to maintain a high classification accuracy under the use of both clean images and adversarial examples for adversarially robust defense. The proposed transformation is a block-wise preprocessing technique with a secret key to input images. We developed three algorithms to realize the proposed transformation: Pixel Shuffling, Bit Flipping, and FFX Encryption. Experiments were carried out on the CIFAR-10 and ImageNet datasets by using both black-box and white-box attacks with various metrics including adaptive ones. The results show that the proposed defense achieves high accuracy close to that of using clean images even under adaptive attacks for the first time. In the best-case scenario, a model trained by using images transformed by FFX Encryption (block size of 4) yielded an accuracy of 92.30% on clean images and 91.48% under PGD attack with a noise distance of 8/255, which is close to the non-robust accuracy (95.45%) for the CIFAR-10 dataset, and it yielded an accuracy of 72.18% on clean images and 71.43% under the same attack, which is also close to the standard accuracy (73.70%) for the ImageNet dataset. Overall, all three proposed algorithms are demonstrated to outperform state-of-the-art defenses including adversarial training whether or not a model is under attack.

Related papers

• Anomaly Unveiled: Securing Image Classification against Adversarial Patch Attacks [3.6275442368775512]
  Adversarial patch attacks pose a significant threat to the practical deployment of deep learning systems. In this paper, we investigate the behavior of adversarial patches as anomalies within the distribution of image information. Our proposed defense mechanism utilizes a clustering-based technique called DBSCAN to isolate anomalous image segments.
  arXiv  Detail & Related papers  (2024-02-09T08:52:47Z)
• Improving Adversarial Robustness of Masked Autoencoders via Test-time Frequency-domain Prompting [133.55037976429088]
  We investigate the adversarial robustness of vision transformers equipped with BERT pretraining (e.g., BEiT, MAE) A surprising observation is that MAE has significantly worse adversarial robustness than other BERT pretraining methods. We propose a simple yet effective way to boost the adversarial robustness of MAE.
  arXiv  Detail & Related papers  (2023-08-20T16:27:17Z)
• Class-Conditioned Transformation for Enhanced Robust Image Classification [19.738635819545554]
  We propose a novel test-time threat model algorithm that enhances Adrial-versa-Trained (AT) models. Our method operates through COnditional image transformation and DIstance-based Prediction (CODIP) The proposed method achieves state-of-the-art results demonstrated through extensive experiments on various models, AT methods, datasets, and attack types.
  arXiv  Detail & Related papers  (2023-03-27T17:28:20Z)
• (Certified!!) Adversarial Robustness for Free! [116.6052628829344]
  We certify 71% accuracy on ImageNet under adversarial perturbations constrained to be within a 2-norm of 0.5. We obtain these results using only pretrained diffusion models and image classifiers, without requiring any fine tuning or retraining of model parameters.
  arXiv  Detail & Related papers  (2022-06-21T17:27:27Z)
• Diffusion Models for Adversarial Purification [69.1882221038846]
  Adrial purification refers to a class of defense methods that remove adversarial perturbations using a generative model. We propose DiffPure that uses diffusion models for adversarial purification. Our method achieves the state-of-the-art results, outperforming current adversarial training and adversarial purification methods.
  arXiv  Detail & Related papers  (2022-05-16T06:03:00Z)
• Towards Practical Certifiable Patch Defense with Vision Transformer [34.00374565048962]
  We introduce Vision Transformer (ViT) into the framework of Derandomized Smoothing (DS) For efficient inference and deployment in the real world, we innovatively reconstruct the global self-attention structure of the original ViT into isolated band unit self-attention.
  arXiv  Detail & Related papers  (2022-03-16T10:39:18Z)
• PatchCleanser: Certifiably Robust Defense against Adversarial Patches for Any Image Classifier [30.559585856170216]
  adversarial patch attack against image classification models aims to inject adversarially crafted pixels within a localized restricted image region (i.e., a patch) We propose PatchCleanser as a robust defense against adversarial patches that is compatible with any image classification model. We extensively evaluate our defense on the ImageNet, ImageNette, CIFAR-10, CIFAR-100, SVHN, and Flowers-102 datasets.
  arXiv  Detail & Related papers  (2021-08-20T12:09:33Z)
• Adversarial Robustness by Design through Analog Computing and Synthetic Gradients [80.60080084042666]
  We propose a new defense mechanism against adversarial attacks inspired by an optical co-processor. In the white-box setting, our defense works by obfuscating the parameters of the random projection. We find the combination of a random projection and binarization in the optical system also improves robustness against various types of black-box attacks.
  arXiv  Detail & Related papers  (2021-01-06T16:15:29Z)
• Attack Agnostic Adversarial Defense via Visual Imperceptible Bound [70.72413095698961]
  This research aims to design a defense model that is robust within a certain bound against both seen and unseen adversarial attacks. The proposed defense model is evaluated on the MNIST, CIFAR-10, and Tiny ImageNet databases. The proposed algorithm is attack agnostic, i.e. it does not require any knowledge of the attack algorithm.
  arXiv  Detail & Related papers  (2020-10-25T23:14:26Z)
• Encryption Inspired Adversarial Defense for Visual Classification [17.551718914117917]
  We propose a new adversarial defense inspired by image encryption methods. The proposed method utilizes a block-wise pixel shuffling with a secret key. It achieves high accuracy (91.55 on clean images and (89.66 on adversarial examples with noise distance of 8/255 on CIFAR-10 dataset)
  arXiv  Detail & Related papers  (2020-05-16T14:18:07Z)
• (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
  We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
  arXiv  Detail & Related papers  (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.