Abstract
This paper proposes PatternAttack to mitigate two major issues of Adversarial Transformation Network (ATN) including the low diversity and the low quality of adversarial examples. In order to deal with the first issue, this research proposes a stacked convolutional autoencoder based on patterns to generalize ATN. This proposed autoencoder could support different patterns such as all-pixel pattern, object boundary pattern, and class model map pattern. In order to deal with the second issue, this paper presents an algorithm to improve the quality of adversarial examples in terms of \(L_0\)-norm and \(L_2\)-norm. This algorithm employs adversarial pixel ranking heuristics such as JSMA and COI to prioritize adversarial pixels. To demonstrate the advantages of the proposed method, comprehensive experiments have been conducted on the MNIST dataset and the CIFAR-10 dataset. For the first issue, the proposed autoencoder generates diverse adversarial examples. For the second issue, the proposed algorithm significantly improves the quality of adversarial examples. In terms of \(L_0\)-norm, the proposed algorithm decreases from hundreds of adversarial pixels to one adversarial pixel. In terms of \(L_2\)-norm, the proposed algorithm reduces the average distance considerably. These results show that the proposed method can generate high-quality and diverse adversarial examples in practice.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data Availability
All data and material are available.
Code Availability
All source code are available.
References
Akhtar N, Mian A, Kardan N, Shah M (2021) Threat of adversarial attacks on deep learning in computer vision: Survey ii,
Aldahdooh A, Hamidouche W, Fezza S A, Déforges O (2021) Adversarial example detection for DNN models: a review. CoRR arXiv:2105.00203
Andrew Ng. (2011) Sparse autoencoder. CS294A Lecture notes
Baluja S, Fischer I (2017) Adversarial transformation networks: learning to generate adversarial examples
Bengio Y, Lamblin P, Popovici D, Larochelle H (2006) Greedy layer-wise training of deep networks. In: Proceedings of the 19th international conference on neural information processing systems, NIPS’06, page 153–160, Cambridge, MA, USA, MIT Press
Cao C, Liu X, Yang Y, Yu Y, Wang J, Wang Z, Huang Y, Wang L, Huang C, Xu W, Ramanan D, Huang T S (2015) Look and think twice: capturing top-down visual attention with feedback convolutional neural networks. In: ICCV, pp. 2956–2964,
Carlini N, Wagner D A. (2016) Towards evaluating the robustness of neural networks. CoRR arXiv:1608.04644
Dabkowski P, Gal Y (2017) Real time image saliency for black box classifiers
Dong Y, Liao F, Pang T, Hu X, Zhu J (2017) Discovering adversarial examples with momentum. CoRR arXiv:1710.06081
Etmann C, Lunz S, Maass P, Schönlieb C-B (2019) On the connection between adversarial robustness and saliency map interpretability
Fong R, Vedaldi A (2017). Interpretable explanations of black boxes by meaningful perturbation. CoRR arXiv:1704.03296
Goodfellow Ian J., Shlens Jonathon, Szegedy Christian (2015) Explaining and harnessing adversarial examples
Goodfellow I, Bengio Y, Courville A (2016) Deep learning. MIT Press, London
Gopinath Divya, Păsăreanu Corina S., Wang Kaiyuan, Zhang Mengshi, Khurshid Sarfraz (2019) Symbolic execution for attribution and attack synthesis in neural networks. In Proceedings of the 41st international conference on software engineering: companion proceedings, ICSE ’19, pp. 282–283. IEEE Press, https://doi.org/10.1109/ICSE-Companion.2019.00115
Gu Jindong, Tresp V (2019) Saliency methods for explaining adversarial attacks. CoRR arXiv:1908.08413
IEEE. (1990) Ieee standard glossary of software engineering terminology,
Kingma D P, Welling M (2014) Auto-encoding variational bayes
Krizhevsky A, Sutskever I, Hinton GE (2017) Imagenet classification with deep convolutional neural networks. Commun ACM 60(6):84–90. https://doi.org/10.1145/3065386
Krizhevsky A, Nair V, Hinton G (2009) Cifar-10. Canadian Institute for Advanced Research
Kurakin A, Goodfellow I J., Bengio S, (2016) Adversarial examples in the physical world. CoRR arXiv:1607.02533
Lecun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278–2324. https://doi.org/10.1109/5.726791
Lecun Y, Bottou Léon, Bengio Y, Haffner P (1998b) Gradient-based learning applied to document recognition. In: Proceedings of the IEEE, pp. 2278–2324
Li X, Ji S (2020) Defense-vae: a fast and accurate defense against adversarial attacks. In: Peggy C, Kurt D (eds) Machine learning and knowledge discovery in databases. Springer, Cham, pp 191–207
Masci J, Meier U, Cireşan D, Schmidhuber J (2011) Stacked convolutional auto-encoders for hierarchical feature extraction. In Timo H, Włodzisław D, Mark G, and Samuel K, (eds), Artificial neural networks and machine learning – ICANN 2011, pp.52–59, Berlin, Heidelberg, Springer Berlin Heidelberg
Moosavi-Dezfooli S-M, Fawzi A, Frossard P (2015) Deepfool: a simple and accurate method to fool deep neural networks. CoRR arXiv:1511.04599
Moura L De, Bjørner N (2008) Z3: an efficient smt solver. In: Proceedings of the theory and practice of software, 14th international conference on tools and algorithms for the construction and analysis of systems, TACAS’08/ETAPS’08, pages 337–340, Berlin, Heidelberg, Springer-Verlag. ISBN 3-540-78799-2, 978-3-540-78799-0
Nguyen D-A, Minh K D, Minh N Le, Hung P N (2022) A symbolic execution-based method to perform untargeted attack on feed-forward neural networks. Autom Software Eng, 29
Papernot N, McDaniel P D., Jha S, Fredrikson M, Celik Z. B, Swami A (2015) The limitations of deep learning in adversarial settings. CoRR arXiv:1511.07528
Pei K, Cao Y, Yang J, Jana S (2017) Deepxplore: automated whitebox testing of deep learning systems. CoRR arXiv:1705.06640
Pu Y, Wang W, Henao R, Chen L, Gan Z, Li C, Carin L (2017) Adversarial symmetric variational autoencoder. CoRR arXiv:1711.04915
Simonyan K, Vedaldi A, Zisserman A (2013) Deep inside convolutional networks: visualising image classification models and saliency maps. CoRR arXiv:1312.6034
Springenberg J T, Dosovitskiy A, Brox T, Riedmiller M (2014) Striving for simplicity: the all convolutional net. arXiv preprint arXiv:1412.6806
Sultana F, Sufian A, Dutta P (2019) Advancements in image classification using convolutional neural network. CoRR arXiv:1905.03288
Su J, Vargas D V, Sakurai K (2017) One pixel attack for fooling deep neural networks. CoRR arXiv:1710.08864
Szegedy C, Zaremba W, Sutskever I, Bruna J, Goodfellow I, Rob F (2014) Intriguing properties of neural networks, Dumitru Erhan
Tolstikhin I, Bousquet O, Gelly S, Schoelkopf B (2019) Wasserstein auto-encoders
Tsipras D, Santurkar S, Engstrom L, Turner A, Madry A (2019) Robustness may be at odds with accuracy
Vincent P, Larochelle H, Lajoie I, Bengio Y, Manzagol P-A (2010) Stacked denoising autoencoders: learning useful representations in a deep network with a local denoising criterion. J Mach Learn Res 11:3371–3408
Yu F, Dong Q, Chen X (2018) ASP: a fast adversarial attack example generation framework based on adversarial saliency prediction. CoRR arXiv:1802.05763
Zeiler M D, Fergus R (2013) Visualizing and understanding convolutional networks
Zhang J, Harman M, Ma L, Liu Y (2019) Machine learning testing: survey, landscapes and horizons, 06
Zhang J, Lin Z, Brandt J, Shen X, Sclaroff S (2016) Top-down neural attention by excitation backprop. CoRR arXiv:1608.00507
Acknowledgements
This work is supported by Ministry of Science and Technology, Vietnam under project number KC-4.0-07/19-25, Program KC4.0/19-25. Duc-Anh Nguyen was funded by Vingroup JSC and supported by the Master, PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Institute of Big Data, code VINIF.2022.TS001.
Kha Do Minh was funded by Vingroup JSC and supported by the Master, PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Institute of Big Data, code VINIF.2021.ThS.24.
Funding
Duc-Anh Nguyen was funded by Vingroup JSC and supported by the Master, PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Institute of Big Data, code VINIF.2022.TS001. Kha Do Minh was funded by Vingroup JSC and supported by the Master, PhD Scholarship Programme of Vingroup Innovation Foundation (VINIF), Institute of Big Data, code VINIF.2021.ThS.24.
Author information
Authors and Affiliations
Contributions
Conceptualization: PNH, D-AN; Methodology: D-AN, KDM; Formal analysis and investigation: D-AN, KDM; Writing - original draft preparation: D-AN; Writing - review and editing: all authors.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no relevant financial or non-financial interests to disclose.
Ethics approval
Not applicable.
Informed consent
Not applicable
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Nguyen, DA., Minh, K.D., Le, K.N. et al. Improving diversity and quality of adversarial examples in adversarial transformation network. Soft Comput 27, 3689–3706 (2023). https://doi.org/10.1007/s00500-022-07655-y
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-022-07655-y