Skip to main content

Denoised Internal Models: A Brain-inspired Autoencoder Against Adversarial Attacks

Machine Intelligence Research volume 19pages 456–471 (2022)Cite this article

Abstract

Despite its great success, deep learning severely suffers from robustness; i.e., deep neural networks are very vulnerable to adversarial attacks, even the simplest ones. Inspired by recent advances in brain science, we propose the denoised internal models (DIM), a novel generative autoencoder-based model to tackle this challenge. Simulating the pipeline in the human brain for visual signal processing, DIM adopts a two-stage approach. In the first stage, DIM uses a denoiser to reduce the noise and the dimensions of inputs, reflecting the information pre-processing in the thalamus. Inspired by the sparse coding of memory-related traces in the primary visual cortex, the second stage produces a set of internal models, one for each category. We evaluate DIM over 42 adversarial attacks, showing that DIM effectively defenses against all the attacks and outperforms the SOTA on the overall robustness on the MNIST (Modified National Institute of Standards and Technology) dataset.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

39,95 €

Price includes VAT (Netherlands)

References

  1. Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. Hubbard, L. D. Jackel. Backpropagation applied to handwritten zip code recognition. Neural Computation, vol. 1, no. 4, pp. 541–551, 1989. DOI: https://doi.org/10.1162/neco.1989.1.4.541.

    Article  Google Scholar 

  2. K. M. He, X. Y. Zhang, S. Q. Ren, J. Sun. Deep residual learning for image recognition. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, pp. 770–778, 2016. DOI: https://doi.org/10.1109/CVPR.2016.90.

    Google Scholar 

  3. A. Krizhevsky, I. Sutskever, G. E. Hinton. ImageNet classification with deep convolutional neural networks. In Proceedings of the 25th International Conference on Neural Information Processing Systems, Lake Tahoe, USA, pp. 1097–1105, 2012.

    Google Scholar 

  4. C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, Z. Wojna. Rethinking the inception architecture for computer vision. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, pp. 2818–2826, 2016. DOI: https://doi.org/10.1109/CVPR.2016.308.

    Google Scholar 

  5. D. Amodei, S. Ananthanarayanan, R. Anubhai, J. L. Bai, E. Battenberg, C. Case, J. Casper, B. Catanzaro, J. D. Chen, M. Chrzanowski, A. Coates, G. Diamos, E. Elsen, J. H. Engel, L. X. Fan, C. Fougner, A. Y. Hannun, B. Jun, T. Han, P. LeGresley, X. G. Li, L. Lin, S. Narang, A. Y. Ng, S. Ozair, R. Prenger, S. Qian, J. Raiman, S. Satheesh, D. Seetapun, S. Sengupta, C. Wang, Z. Q. Wang, B. Xiao, Y. Xie, D. Yogatama, J. Zhan, Z. Y. Zhu. Deep speech 2: End-to-end speech recognition in English and mandarin. In Proceedings of the 33nd International Conference on Machine Learning, New York, USA, pp. 173–182, 2016.

    Google Scholar 

  6. W. Xiong, J. Droppo, X. Huang, F. Seide, M. Seltzer, A. Stolcke, D. Yu, G. Zweig. Achieving human parity in conversational speech recognition. [Online], Available: https://arxiv.org/abs/1610.05256, 2016.

    Google Scholar 

  7. A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser, I. Polosukhin. Attention is all you need. In Proceedings of the 31st International Conference on Neural Information Processing Systems, Long Beach, USA, pp. 6000–6010, 2017.

    Google Scholar 

  8. J. Devlin, M. W. Chang, K. Lee, K. Toutanova. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis, Minnesota, pp. 4171–4186, 2019. DOI: https://doi.org/10.18653/v1/N19-1423.

    Google Scholar 

  9. Z. L. Yang, Z. H. Dai, Y. M. Yang, J. Carbonell, R. Salakhutdinov, Q. V. Le. XLNet: Generalized autoregressive pretraining for language understanding. In Proceedings of the 33rd International Conference on Neural Information Processing Systems, Vancouver, Canada, Article No. 517, 2019.

    Google Scholar 

  10. J. X. Gu, Z. H. Wang, J. Kuen, L. Y. Ma, A. Shahroudy, B. Shuai, T. Liu, X. X. Wang, G. Wang, J. F. Cai, T. Chen. Recent advances in convolutional neural networks. Pattern Recognition, vol. 77, pp. 354–377, 2018. DOI: https://doi.org/10.1016/j.patcog.2017.10.013.

    Article  Google Scholar 

  11. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, R. Fergus. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations, Banff, Canada, 2014.

    Google Scholar 

  12. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić, P. Laskov, G. Giacinto, F. Roli. Evasion attacks against machine learning at test time. In Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases, Springer, Prague, Czech Republic, pp. 387–402, 2013. DOI: https://doi.org/10.1007/978-3-642-40994-3_25.

    Google Scholar 

  13. I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, Y. Bengio. Generative adversarial nets. In Proceedings of the 27th International Conference on Neural Information Processing Systems, Montreal, Canada, vol. 2, pp. 2672–2680, 2014.

    Google Scholar 

  14. B. Biggio, F. Roli. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition, vol. 84, pp. 317–331, 2018. DOI: https://doi.org/10.1016/j.patcog.2018.07.023.

    Article  Google Scholar 

  15. I. J. Goodfellow, J. Shlens, C. Szegedy. Explaining and harnessing adversarial examples. In Proceedings of the 3rd International Conference on Learning Representations, San Diego, USA, 2015.

    Google Scholar 

  16. S. M. Moosavi-Dezfooli, A. Fawzi, P. Frossard. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, pp. 2574–2582, 2016. DOI: https://doi.org/10.1109/CVPR.2016.282.

    Google Scholar 

  17. A. Athalye, N. Carlini. On the robustness of the CVPR 2018 white-box adversarial example defenses. [Online], Available: https://arxiv.org/abs/1804.03286, 2018.

    Google Scholar 

  18. Y. D. Xu, M. Vaziri-Pashkam. Limits to visual representational correspondence between convolutional neural networks and the human brain. Nature Communications, vol. 12, no. 1, Article number 2065, 2021. DOI: https://doi.org/10.1038/s41467-021-22244-7.

    Google Scholar 

  19. A. Athalye, L. Engstrom, A. Ilyas, K. Kwok. Synthesizing robust adversarial examples. In Proceedings of the 35th International Conference on Machine Learning, Stockholmsmässan, Sweden, vol. 80, pp. 284–293, 2018.

    Google Scholar 

  20. E. Casamassima, A. Herbert, C. Merkel. Exploring CNN features in the context of adversarial robustness and human perception. In Proceedings of SPIE, Applications of Machine Learning, San Diego, USA, vol. 11843, Article number 1184313, 2021. DOI: https://doi.org/10.1117/12.2594363.

  21. Y. J. Huang, S. H. Dai, T. Nguyen, P. L. Bao, D. Y. Tsao, R. G. Baraniuk, A. Anandkumar. Brain-inspired robust vision using convolutional neural networks with feedback. In Proceedings of the 33rd Neural Information Processing Systems, Vancouver, Canada, 2019.

    Google Scholar 

  22. F. Rosenblatt. The perceptron: A probabilistic model for information storage and organization in the brain. Psychological Review, vol. 65, no. 6, pp. 386–408, 1958. DOI: https://doi.org/10.1037/h0042519.

    Article  Google Scholar 

  23. A. F. Agarap. Deep learning using rectified linear units (ReLU), [Online], Available: https://arxiv.org/abs/1803.08375, 2019.

    Google Scholar 

  24. J. L. Elman. Finding structure in time. Cognitive Science, vol. 14, no. 2, pp. 179–211, 1990. DOI: https://doi.org/10.1207/s15516709cog1402_1.

    Article  Google Scholar 

  25. J. Cudeiro, A. M. Sillito. Looking back: Corticothalamic feedback and early visual processing. Trends in Neurosciences, vol. 29, no. 6, pp. 298–306, 2006. DOI: https://doi.org/10.1016/j.tins.2006.05.002.

    Article  Google Scholar 

  26. A. M. Derrington, J. Krauskopf, P. Lennie. Chromatic mechanisms in lateral geniculate nucleus of macaque. Journal of Physiology, vol. 357, pp. 241–265, 1984. DOI: https://doi.org/10.1113/jphysiol.1984.sp015499.

    Article  Google Scholar 

  27. D. H. O’Connor, M. M. Fukui, M. A. Pinsk, S. Kastner. Attention modulates responses in the human lateral geniculate nucleus. Nature Neuroscience, vol. 5, no. 11, pp. 1203–1209, 2002. DOI: https://doi.org/10.1038/nn957.

    Article  Google Scholar 

  28. H. Xie, Y. Liu, Y. Z. Zhu, X. L. Ding, Y. H. Yang, J. S. Guan. In vivo imaging of immediate early gene expression reveals layer-specific memory traces in the mammalian brain. Proceedings of the National Academy of Sciences of the United States of America, vol. 111, no. 7, pp. 2788–2793, 2014. DOI: https://doi.org/10.1073/pnas.1316808111.

    Article  Google Scholar 

  29. S. Tonegawa, X. Liu, S. Ramirez, R. Redondo. Memory engram cells have come of age. Neuron, vol. 87, no. 5, pp. 918–931, 2015. DOI: https://doi.org/10.1016/j.neuron.2015.08.002.

    Article  Google Scholar 

  30. R. Q. Quiroga, L. Reddy, G. Kreiman, C. Koch, I. Fried. Invariant visual representation by single neurons in the human brain. Nature, vol. 435, no. 7045, pp. 1102–1107, 2005. DOI: https://doi.org/10.1038/nature03687.

    Article  Google Scholar 

  31. J. L. McGaugh. Memory-A century of consolidation. Science, vol. 287, no. 5451, pp. 248–251, 2000. DOI: https://doi.org/10.1126/science.287.5451.248.

    Article  Google Scholar 

  32. J. S. Guan, J. Jiang, H. Xie, K. Y. Liu. How does the sparse memory “engram” neurons encode the memory of a spatial-temporal event? Frontiers in Neural Circuits, vol. 10, Article number 61, 2016. DOI: https://doi.org/10.3389/fncir.2016.00061.

  33. X. Liu, S. Ramirez, P. T. Pang, C. B. Puryear, A. Govindarajan, K. Deisseroth, S. Tonegawa. Optogenetic stimulation of a hippocampal engram activates fear memory recall. Nature, vol. 484, no. 7394, pp. 381–385, 2012. DOI: https://doi.org/10.1038/nature11028.

    Article  Google Scholar 

  34. X. Liu, S. Ramirez, S. Tonegawa. Inception of a false memory by optogenetic manipulation of a hippocampal memory engram. Philosophical Transactions of the Royal Society B: Biological Sciences, vol. 369, no. 1633, Article number 20130142, 2014. DOI: https://doi.org/10.1098/rstb.2013.0142.

    Google Scholar 

  35. Y. Lecun, L. Bottou, Y. Bengio, P. Haffner. Gradient-based learning applied to document recognition. Proceedings of IEEE, vol. 86, no. 11, pp. 2278–2324, 1998. DOI: https://doi.org/10.1109/5.726791.

    Article  Google Scholar 

  36. J. Rauber, W. Brendel, M. Bethge. Foolbox: A python toolbox to benchmark the robustness of machine learning models. [Online], Available: https://arxiv.org/abs/1707.04131, 2017.

    Google Scholar 

  37. F. Tramèr, A. Kurakin, N. Papernot, I. J. Goodfellow, D. Boneh, P. D. McDaniel. Ensemble adversarial training: Attacks and defenses. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018

    Google Scholar 

  38. J. Rony, L. G. Hafemann, L. S. Oliveira, I. B. Ayed, R. Sabourin, E. Granger. Decoupling direction and norm for efficient gradient-based L2 adversarial attacks and defenses. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition, IEEE, Long Beach, USA, pp. 4317–4325, 2019. DOI: https://doi.org/10.1109/CVPR.2019.00445.

    Google Scholar 

  39. J. Rauber, M. Bethge. Fast differentiable clipping-aware normalization and rescaling. [Online], Available: https://arxiv.org/abs/2007.07677, 2020.

    Google Scholar 

  40. H. Hosseini, B. C. Xiao, M. Jaiswal, R. Poovendran. On the limitation of convolutional neural networks in recognizing negative images. In Proceedings of the 16th IEEE International Conference on Machine Learning and Applications, Cancun, Mexico, pp. 352–358, 2017. DOI: https://doi.org/10.1109/ICMLA.2017.0-136.

    Google Scholar 

  41. N. Carlini, D. Wagner. Towards evaluating the robustness of neural networks. In Proceedings of IEEE Symposium on Security and Privacy, San Jose, USA, pp. 39–57, 2017. DOI: https://doi.org/10.1109/SP.2017.49.

    Google Scholar 

  42. W. Brendel, J. Rauber, M. Kümmerer, I. Ustyuzhaninov, M. Bethge. Accurate, reliable and fast robustness evaluation. In Proceedings of the 33rd Conference on Neural Information Processing Systems, Vancouver, Canada, Article number 1152, 2019.

    Google Scholar 

  43. W. Brendel, J. Rauber, M. Bethge. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  44. L. Schott, J. Rauber, M. Bethge, W. Brendel. Towards the first adversarially robust neural network model on MNIST. In Proceedings of the 7th International Conference on Learning Representations, New Orleans, USA, 2019.

    Google Scholar 

  45. X. W. Yin, S. Kolouri, G. K. Rohde. GAT: Generative adversarial training for adversarial example detection and robust classification. In Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020.

    Google Scholar 

  46. T. Y. Pang, K. Xu, C. Du, N. Chen, J. Zhu. Improving adversarial robustness via promoting ensemble diversity. In Proceedings of the 36th International Conference on Machine Learning, Long Beach, USA, vol. 97, pp. 4970–4979, 2019.

    Google Scholar 

  47. T. Yu, S. Y. Hu, C. Guo, W. L. Chao, K. Q. Weinberger. A new defense against adversarial images: Turning a weakness into a strength. In Proceedings of the 33rd International Conference on Neural Information Processing Systems, Vancouver, Canada, Article number 146, 2019.

    Google Scholar 

  48. G. Verma, A. Swami. Error correcting output codes improve probability estimation and adversarial robustness of deep neural networks. In Proceedings of the 33rd International Conference on Neural Information Processing Systems, Vancouver, Canada, Article number 776, 2019.

    Google Scholar 

  49. M. Bafna, J. Murtagh, N. Vyas. Thwarting adversarial examples: An L0L0-robust sparse Fourier transform. In Proceedings of the 32nd International Conference on Neural Information Processing Systems, Montreal, Canada, pp. 10096–10106, 2018.

    Google Scholar 

  50. T. Y. Pang, K. Xu, Y. P. Dong, C. Du, N. Chen, J. Zhu. Rethinking softmax cross-entropy loss for adversarial robustness. In Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020.

    Google Scholar 

  51. A. Kurakin, I. J. Goodfellow, S. Bengio. Adversarial examples in the physical world. Artificial Intelligence Safety and Security, R. V. Yampolskiy, Ed., New York, USA: Chapman and Hall, pp. 99–112, 2018.

    Chapter  Google Scholar 

  52. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  53. S. Yun, D. Han, S. Chun, S. J. Oh, Y. Yoo, J. Choe. Cut-Mix: Regularization strategy to train strong classifiers with localizable features. In Proceedings of the IEEE/CVF International Conference on Computer Vision, IEEE, Seoul, Korea, pp. 6022–6031, 2019. DOI: https://doi.org/10.1109/ICCV.2019.00612.

    Google Scholar 

  54. D. Hendrycks, T. G. Dietterich. Benchmarking neural network robustness to common corruptions and perturbations. In Proceedings of the 7th International Conference on Learning Representations, New Orleans, USA, 2019.

    Google Scholar 

  55. Q. Z. Xie, M. T. Luong, E. Hovy, Q. V. Le. Self-training with noisy student improves ImageNet classification. In Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition, IEEE, Seattle, USA, pp. 10684–10695, 2020. DOI: https://doi.org/10.1109/CVPR42600.2020.01070.

    Google Scholar 

  56. P. Vaishnavi, T. Cong, K. Eykholt, A. Prakash, A. Rahmati. Can attention masks improve adversarial robustness? In Proceedings of the 3rd International Workshop on Engineering Dependable and Secure Machine Learning Systems, New York, USA, pp. 14–22, 2020. DOI: https://doi.org/10.1007/978-3-030-62144-5_2.

    Chapter  Google Scholar 

  57. P. Vincent, H. Larochelle, I. Lajoie, Y. Bengio, P. A. Manzagol. Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion. Journal of Machine Learning Research, vol. 11, pp. 3371–3408, 2010.

    MathSciNet  MATH  Google Scholar 

  58. C. Guo, M. Rana, M. Cissé, L. van der Maaten. Countering adversarial images using input transformations. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  59. C. H. Xie, J. Y. Wang, Z. S. Zhang, Z. Ren, A. L. Yuille. Mitigating adversarial effects through randomization. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  60. X. J. Ma, B. Li, Y. S. Wang, S. M. Erfani, S. N. R. Wijewickrema, G. Schoenebeck, D. Song, M. E. Houle, J. Bailey. Characterizing adversarial subspaces using local intrinsic dimensionality. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  61. G. S. Dhillon, K. Azizzadenesheli, Z. C. Lipton, J. Bernstein, J. Kossaifi, A. Khanna, A. Anandkumar. Stochastic activation pruning for robust adversarial defense. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  62. J. Buckman, A. Roy, C. Raffel, I. J. Goodfellow. Thermometer encoding: One hot way to resist adversarial examples. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  63. N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, A. Swami. Practical black-box attacks against machine learning. In Proceedings of ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, pp. 506–519, 2017. DOI: https://doi.org/10.1145/3052973.3053009.

    Google Scholar 

  64. A. Athalye, N. Carlini, D. A. Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proceedings of the 35th International Conference on Machine Learning, Stockholmsmässan, Sweden, vol. 80, pp. 274–283, 2018.

    Google Scholar 

  65. K. Roth, Y. Kilcher, T. Hofmann. The odds are odd: A statistical test for detecting adversarial examples. In Proceedings of the 36th International Conference on Machine Learning, Long Beach, USA, vol. 97, pp. 5498–5507, 2019.

    Google Scholar 

  66. C. Xiao, P. L. Zhong, C. X. Zheng. Enhancing adversarial defense by k-winners-take-all. [Online], Available: https://arxiv.org/abs/1905.10510, 2019.

    Google Scholar 

  67. U. Jang, S. Jha, S. Jha. On the need for topology-aware generative models for manifold-based defenses. In Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020.

    Google Scholar 

  68. F. Tramèr, N. Carlini, W. Brendel, A. Mądry. On adaptive attacks to adversarial example defenses. In Proceedings of the 34th International Conference on Neural Information Processing Systems, Vancouver, Canada, Article number 138, 2020.

    Google Scholar 

  69. P. Samangouei, M. Kabkab, R. Chellappa. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. In Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada, 2018.

    Google Scholar 

  70. C. Cintas, S. Speakman, V. Akinwande, W. Ogallo, K. Weldemariam, S. Sridharan, E. McFowland. Detecting adversarial attacks via subset scanning of autoencoder activations and reconstruction error. In Proceedings of the 29th International Joint Conference on Artificial Intelligence, Yokohama, Japan, Article number 122, 2021.

    Google Scholar 

  71. D. Y. Meng, H. Chen. MagNet: A two-pronged defense against adversarial examples. In Proceedings of ACM/SIGSAC Conference on Computer and Communications Security, Dallas, USA, pp. 135–147, 2017. DOI: https://doi.org/10.1145/3133956.3134057.

    Google Scholar 

  72. Y. Z. Li, J. Bradshaw, Y. Sharma. Are generative classifiers more robust to adversarial attacks? In Proceedings of the 36th International Conference on Machine Learning, vol. 97, pp. 3804–3814, 2019.

    Google Scholar 

  73. P. Brodal. The Central Nervous System: Structure and Function, 3rd ed., New York, USA: Oxford University Press, 2004.

    Google Scholar 

  74. B. J. White, S. E. Boehnke, R. A. Marino, L. Itti, D. P. Munoz. Color-related signals in the primate superior colliculus. Journal of Neuroscience, vol. 29, no. 39, pp. 12159–12166, 2009. DOI: https://doi.org/10.1523/JNEUROSCI.1986-09.2009.

    Article  Google Scholar 

  75. H. Markram, E. Muller, S. Ramaswamy, M. W. Reimann, M. Abdellah, C. A. Sanchez, A. Ailamaki, L. Alonso-Nanclares, N. Antille, S. Arsever, G. A. A. Kahou, T. K. Berger, A. Bilgili, N. Buncic, A. Chalimourda, G. Chindemi, J. D. Courcol, F. Delalondre, V. Delattre, S. Druckmann, R. Dumusc, J. Dynes, S. Eilemann, E. Gal, M. E. Gevaert, J. P. Ghobril, A. Gidon, J. W. Graham, A. Gupta, V. Haenel, E. Hay, T. Heinis, J. B. Hernando, M. Hines, L. Kanari, D. Keller, J. Kenyon, G. Khazen, Y. Kim, J. G. King, Z. Kisvarday, P. Kumbhar, S. Lasserre, J. V. Le Bé, B. R. C. Magalhães, A. Merchán-Pérez, J. Meystre, B. R. Morrice, J. Muller, A. Muñoz-Céspedes, S. Muralidhar, K. Muthurasa, D. Nachbaur, T. H. Newton, M. Nolte, A. Ovcharenko, J. Palacios, L. Pastor, R. Perin, R. Ranjan, I. Riachi, J. R. Rodríguez, J. L. Riquelme, C. Rössert, K. Sfyrakis, Y. Shi, J. C. Shillcock, G. Silberberg, R. Silva, F. Tauheed, M. Telefont, M. Toledo-Rodriguez, T. Tränkler, W. Van Geit, J. V. Díaz, R. Walker, Y. Wang, S. M. Zaninetta, J. DeFelipe, S. L. Hill, I. Segev, F. Schürmann. Reconstruction and simulation of neocortical microcircuitry. Cell, vol. 163, no. 2, pp. 456–492, 2015. DOI: https://doi.org/10.1016/j.cell.2015.09.029.

    Article  Google Scholar 

  76. Y. Z. Yang, G. Zhang, Z. Xu, D. Katabi. Me-Net: Towards effective adversarial robustness with matrix estimation. In Proceedings of the 36th International Conference on Machine Learning, Long Beach, USA, vol. 97, pp. 7025–7034, 2019.

    Google Scholar 

  77. E. J. Candès, B. Recht. Exact matrix completion via convex optimization. Foundations of Computational Mathematics, vol. 9, no. 6, pp. 717–772, 2009. DOI: https://doi.org/10.1007/s10208-009-9045-5.

    Article  MathSciNet  MATH  Google Scholar 

  78. S. Chatterjee. Matrix estimation by universal singular value thresholding. The Annals of Statistics, vol. 43, no. 1, pp. 177–214, 2015. DOI: https://doi.org/10.1214/14-aos1272.

    Article  MathSciNet  MATH  Google Scholar 

  79. Y. D. Chen, Y. J. Chi. Harnessing structures in big data via guaranteed low-rank matrix estimation: Recent theory and fast algorithms via convex and nonconvex optimization. IEEE Signal Processing Magazine, vol. 35, no. 4, pp. 14–31, 2018. DOI: https://doi.org/10.1109/MSP.2018.2821706.

    Article  Google Scholar 

  80. A. Kurakin, I. J. Goodfellow, S. Bengio. Adversarial examples in the physical world. In Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017.

    Google Scholar 

  81. L. J. P. van der Maaten, G. E. Hinton. Visualizing high-dimensional data using t-SNE. Journal of Machine Learning Research, vol. 9, no. 27, pp. 2579–2605, 2008.

    MATH  Google Scholar 

Download references

Acknowledgements

This work was supported by the Science and Technology Innovation 2030 Project of China (Nos. 2021ZD020 23501 and 2021ZD0202600), National Science Foundation of China (NSFC) (Nos. 31970903, 31671104, 31371059 and 32225023), Shanghai Ministry of Science and Technology (No. 19ZR1477400), NSFC and the German Research Foundation (DFG) in Project Crossmodal Learning (No. 62061136001/TRR-169).

Author information

Author notes

  1. These authors contribute equally to this work

Authors and Affiliations

  1. School of Life Sciences and Technology, ShanghaiTech University, Shanghai, 201210, China

    Kai-Yuan Liu, Yu-Rui Lai, Hang Su, Jia-Chen Wang, Chun-Xu Guo & Ji-Song Guan

  2. Shanghai Center for Brain Science and Brain-inspired Technology, Shanghai, 201602, China

    Xing-Yu Li

  3. School of Life Sciences, Tsinghua University, Beijing, 100084, China

    Kai-Yuan Liu

  4. National Engineering Laboratory for Brain-inspired Intelligence Technology and Application, School of Information Science and Technology, University of Science and Technology of China, Hefei, 230026, China

    Yi Zhou

  5. Institute of Photonic Chips, University of Shanghai for Science and Technology, Shanghai, 200093, China

    Hong Xie

  6. Centre for Artificial-intelligence Nanophotonics, School of Optical-electrical and Computer Engineering, University of Shanghai for Science and Technology, Shanghai, 200093, China

    Hong Xie

Authors
  1. Kai-Yuan Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xing-Yu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu-Rui Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hang Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jia-Chen Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Chun-Xu Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Hong Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Ji-Song Guan
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Yi Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Ji-Song Guan or Yi Zhou.

Additional information

Colored figures are available in the online version at https://link.springer.com/journal/11633

Kai-Yuan Liu received the B. Sc. degree in applied mathematics from Tsinghua University, China in 2017. Currently, he is a Ph. D. degree candidate in biology at School of Life Sciences, Tsinghua University, China.

His research interests include memory-coding mechanism in neural system, deep learning, brain-inspired intelligence, and pattern recognition.

Xing-Yu Li received the B. Sc. degree in applied physics from Anhui Jianzhu University, China in 2011, the M. Sc. degree in computer science from University of California, USA in 2020, and the Ph. D. degree in atomic and molecular physics from University of Science and Technology of China, China in 2017. Currently, he is a post-doctoral researcher with Shanghai Center for Brain Science and Brain-Inspired Technology, China.

His research interests include deep learning, brain-inspired intelligence, and pattern recognition.

Yu-Rui Lai received the B. Eng. degree in computer science and technology from ShanghaiTech University, China in 2021. He is currently a master student in computer science and technology, ShanghaiTech University, China.

His research interests include brain-inspired deep learning, model compression, graph neural network.

Hang Su received B. Eng. degree in computer science and the technology from ShanghaiTech University, China in 2021. He is currently a master student with School of Information Science and Technology, ShanghaiTech University, China.

His research interests include simultaneous localization and mapping (SLAM), computer vision, and deep learning.

Jia-Chen Wang received the B. Eng. degree in computer science and the technology from ShanghaiTech University, China in 2022, and is currently a master student in electronic and computer engineering at University of Michigan, USA.

His research interests include multi-agent reinforcement learning and game theory.

Chun-Xu Guo is a master student in biomedical engineering at ShanghaiTech University, China in 2022. He was a research assistant at Guan Laboratory, ShanghaiTech University, China in 2020. He is currently a research assistant in IDEALab at School of Biomedical Engineering, ShanghaiTech University, China.

His research interests include medical image analysis, MRI reconstruction, and neuro-computation.

Hong Xie received the B. Sc. degree in life sciences from Wuhan University, China in 2001, and the Ph.D. degree in life sciences from Institute of neuroscience, Chinese Academy of Sciences, China in 2006. From 2007 to 2010, she was a post-doctoral researcher with Harvard Medical School Massachusetts General Hospital, USA. From 2011 to 2018, she was a assistant investigator with School of Life Sciences, Tsinghua University, China. From 2018 to 2021, she was an associate investigator with Zhangjiang Laboratory Brain and Intelligence Technology Research Institute, China. She is now an associate professor with University of Shanghai for Science and Technology, China. She has authored or co-authored several peer-reviewed papers in top international journals, including Nature Communication, Journal of Neuroscience and PNAS.

Her research interests include the memory-coding mechanism and neural circuit of learning and memory in the mammalian brain.

Ji-Song Guan received the B. Sc. degree in life sciences from Nanjing University, China in 2001, and the Ph. D. degree in life sciences from Institute of neuroscience, Chinese Academy of Sciences, China in 2006. From 2006 to 2010, he was a post-doctoral researcher with Massachusetts Institute of Technology (MIT), USA. From 2011 to 2017, he was a professor (associate) with School of Life Sciences, Tsinghua University, China. From 2017 to 2021, he was an associate professor (tenure-track) with School of Life Science and Technology, ShanghaiTech University, China. He is now an associate professor (tenured) with School of Life Science and Technology, ShanghaiTech University, China. He has authored or co-authored several peer-reviewed papers in top international journals, including Nature, Cell, Nature Neuroscience, Neuron, Nature Communications and PNAS.

His research interests include the memory-coding mechanism and neural circuit of learning and memory in the mammalian brain.

Yi Zhou received the B. Eng. degree (special class for gifted young (SCGY)) and the Ph. D. degree in computer science from University of Science and Technology of China, China in 2001 and 2006, respectively. From 2006 to 2011, he was a post-doctoral researcher with West Sydney University (WSU), Australia. He was a lecturer (from 2011 to 2015) and a senior lecturer (from 2016 to 2018) with School of Computing and Mathematics, WSU, Australia. From 2018 to 2019, he was a research fellow with Center of Computational Neuroscience and Brain-inspired Intelligence, Zhangjiang National Laboratory, China. From 2019 to 2022, he was a research fellow with Department of Computational Neuroscience and Brain-inspired Intelligence, Shanghai Center for Brain Science and Brain-Inspired Technology, China. He is now a full professor with School of Information Science and Technology, University of Science and Technology of China, China. He has authored or co-authored more than 50 peer-reviewed papers in leading AI journals and conferences, including 6 long articles in one of the most prestigious AI journals — Artificial Intelligence. He has served as the (senior) program committee member of many top-tier AI conferences including IJCAI, AAAI, ECAI, KR, etc. He won the championship of automated math question answering competition at SemEval’19 with colleagues.

His research interests include cognitive artificial intelligence, brain-inspired intelligence, AI-based automated math question answering for International Math Olympiad (IMO), and AI solutions for real-life applications.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Liu, KY., Li, XY., Lai, YR. et al. Denoised Internal Models: A Brain-inspired Autoencoder Against Adversarial Attacks. Mach. Intell. Res. 19, 456–471 (2022). https://doi.org/10.1007/s11633-022-1375-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11633-022-1375-7

Keywords

  • Brain-inspired learning
  • autoencoder
  • robustness
  • adversarial attack
  • generative model