Abstract
Deep convolutional neural networks (DCNNs) have been widely deployed in real-world scenarios. However, DCNNs are easily tricked by adversarial examples, which present challenges for critical applications, such as vehicle classification. To address this problem, we propose a novel end-to-end convolutional network for joint detection and removal of adversarial perturbations by denoising (DDAP). It gets rid of adversarial perturbations using the DDAP denoiser based on adversarial examples discovered by the DDAP detector. The proposed method can be regarded as a pre-processing step—it does not require modifying the structure of the vehicle classification model and hardly affects the classification results on clean images. We consider four kinds of adversarial attack (FGSM, BIM, DeepFool, PGD) to verify DDAP’s capabilities when trained on BIT-Vehicle and other public datasets. It provides better defense than other state-of-the-art defensive methods.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Fu, H. Y.; Ma, H. D.; Wang, G. Y.; Zhang, X. M.; Zhang, Y. F. MCFF-CNN: Multiscale comprehensive feature fusion convolutional neural network for vehicle color recognition based on residual learning. Neurocomputing Vol. 395, 178–187, 2020.
He, K. M.; Zhang, X. Y.; Ren, S. Q.; Sun, J. Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 770–778, 2016.
Szegedy, C.; Vanhoucke, V.; Ioffe, S.; Shlens, J.; Wojna, Z. Rethinking the inception architecture for computer vision. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2818–2826, 2016.
Oh, M.; Cha, B.; Bae, I.; Choi, G.; Lim, Y. An urban autodriving algorithm based on a sensor-weighted integration field with deep learning. Electronics Vol. 9, No. 1, 158, 2020.
Ronneberger, O.; Fischer, P.; Brox, T. U-Net: Convolutional networks for biomedical image segmentation. In: Medical Image Computing and Computer-Assisted Intervention — MICCAI 2015. Lecture Notes in Computer Science, Vol. 9351. Navab, N.; Hornegger, J.; Wells, W.; Frangi, A. Eds. Springer Cham, 234–241, 2015.
Liu, X. C.; Liu, W.; Ma, H. D.; Fu, H. Y. Large-scale vehicle re-identification in urban surveillance videos. In: Proceedings of the IEEE International Conference on Multimedia and Expo, 1–6, 2016.
Zhuo, L.; Jiang, L. Y.; Zhu, Z. Q.; Li, J. F.; Zhang, J.; Long, H. X. Vehicle classification for large-scale traffic surveillance videos using Convolutional Neural Networks. Machine Vision and Applications Vol. 28, No. 7, 793–802, 2017.
Won, M. Intelligent traffic monitoring systems for vehicle classification: A survey. IEEE Access Vol. 8, 73340–73358, 2020.
Kurakin, A.; Goodfellow, I.; Bengio, S. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533, 2016.
Liu, Y.; Chen, X.; Liu, C.; Song, D. Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770, 2016.
Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z. B.; Swami, A. The limitations of deep learning in adversarial settings. In: Proceedings of the IEEE European Symposiumon Security and Privacy, 372–387, 2016.
Carrara, F.; Falchi, F.; Caldelli, R.; Amato, G.; Fumarola, R.; Becarelli, R. Detecting adversarial example attacks to deep neural networks. In: Proceedings of the 15th International Workshop on Content-based Multimedia Indexing, Article No. 38, 2017.
Guo, F.; Zhao, Q. J.; Li, X.; Kuang, X. H.; Zhang, J. W.; Han, Y. H.; Tan, Y.-A. Detecting adversarial examples via prediction difference for deep neural networks. Information Sciences Vol. 501, 182–192, 2019.
Rakin, A. S.; Fan, D. L. Defense-net: Defend against a wide range of adversarial attacks through adversarial detector. In: Proceedings of the IEEE Computer Society Annual Symposium on VLSI, 332–337, 2019.
Liao, F. Z.; Liang, M.; Dong, Y. P.; Pang, T.; Hu, X. L.; Zhu, J. Defense against adversarial attacks using highlevel representation guided denoiser. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 1778–1787, 2018.
Mustafa, A.; Khan, S. H.; Hayat, M.; Shen, J. B.; Shao, L. Image super-resolution as a defense against adversarial attacks. IEEE Transactions on Image Processing Vol. 29, 1711–1724, 2020.
Prakash, A.; Moran, N.; Garber, S.; DiLillo, A.; Storer, J. Detecting adversarial attacks with pixel detection. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 8571–8580, 2018.
Xie, C. H.; Wu, Y. X.; van der Maaten, L.; Yuille, A. L.; He, K. M. Feature denoising for improving adversarial robustness. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 501–509, 2019.
Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
Goodfellow, I. J.; Shlens, J.; Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
Moosavi-Dezfooli, S. M.; Fawzi, A.; Frossard, P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2574–2582, 2016.
Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
Metzen, J. H.; Genewein, T.; Fischer, V.; Bischofi, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017.
Feinman, R.; Curtin, R. R.; Shintre, S.; Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017.
Liang, B.; Li, H. C.; Su, M. Q.; Li, X. R.; Shi, W. C.; Wang, X. F. Detecting adversarial image examples in deep neural networks with adaptive noise reduction. IEEE Transactions on Dependable and Secure Computing Vol. 18, No. 1, 72–85, 2019.
Papernot, N.; McDaniel, P.; Wu, X.; Jha, S.; Swami, A. Distillation as a defense to adversarial perturbations against deep neural networks. In: Proceedings of the IEEE Symposium on Security and Privacy, 582–597, 2016.
Carlini, N.; Wagner, D. Towards evaluating the robustness of neural networks. In: Proceedings of the IEEE Symposium on Security and Privacy, 39–57, 2017.
Samangouei, P.; Kabkab, M.; Chellappa, R. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv preprint arXiv:1805.06605, 2018.
LeCun, Y.; Bottou, L.; Bengio, Y.; Haffner, P. Gradient-based learning applied to document recognition. Proceedings of the IEEE Vol. 86, No. 11, 2278–2324, 1998.
Santhanam G. K.; Grnarova, P. Defending against adversarial attacks by leveraging an entire GAN. arXiv preprint arXiv:1805.10652, 2018.
Howard, A. G.; Zhu, M.; Chen, B.; Kalenichenko, D.; Wang, W.; Weyand, T.; Andreetto, M.; Adam, H. MobileNets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861, 2017.
Vincent, P.; Larochelle, H.; Bengio, Y.; Manzagol, P. A. Extracting and composing robust features with denoising auto encoders. In: Proceedings of the 25th International Conference on Machine Learning, 1096–1103, 2008.
Zhang, K.; Zuo, W. M.; Chen, Y. J.; Meng, D. Y.; Zhang, L. Beyond a Gaussian denoiser: Residual learning of deep CNN for image denoising. IEEE Transactions on Image Processing Vol. 26, No. 7, 3142–3155, 2017.
Dong, Z.; Pei, M. T.; He, Y.; Liu, T.; Dong, Y. M.; Jia, Y. D. Vehicle type classification using unsupervised convolutional neural network. In: Proceedings of the 22nd International Conference on Pattern Recognition, 172–177, 2014.
Yang, L. J.; Luo, P.; Loy, C. C.; Tang, X. O. A large-scale car dataset for fine-grained categorization and verification. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 3973–3981, 2015.
Zhou, B. L.; Khosla, A.; Lapedriza, A.; Oliva, A.; Torralba, A. Learning deep features for discriminative localization. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2921–2929, 2016.
Acknowledgements
This work was supported in part by the National Natural Science Foundation of China (61872047, 61720106007), the National Key R&D Program of China (2017YFB1003000), the Beijing Nova Program (Z201100006820124), the Beijing Natural Science Foundation (L191004), and the 111 Project (B18008).
Author information
Authors and Affiliations
Corresponding author
Additional information
Peng Liu is a master degree student at the School of Computer Science, Beijing University of Posts and Telecommunications. His research interests include adversarial defense and semantic segmentation.
Huiyuan Fu received his Ph.D. degree in computer science from Beijing University of Posts and Telecommunications in 2014. He is an associate professor at the School of Computer Science, Beijing University of Posts and Telecommunications. His research area includes visual big data, machine learning and pattern recognition, multimedia systems, etc. He received the Best Student Paper Award at ICME in 2016.
Huadong Ma received his Ph.D. degree in computer science from the Institute of Computing Technology, Chinese Academy of Science (CAS), in 1995, M.S. degree in computer science from Shenyang Institute of Computing Technology, CAS, in 1990, and B.S. degree in mathematics from Henan Normal University, China, in 1984. He is a professor at the School of Computer Science, Beijing University of Posts and Telecommunications. His research interests include multimedia networks and systems, the internet of things, and sensor networks. He has published over 300 papers in these fields.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.
The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
Other papers from this open access journal are available free of charge from http://www.springer.com/journal/41095. To submit a manuscript, please go to https://www.editorialmanager.com/cvmj.
About this article
Cite this article
Liu, P., Fu, H. & Ma, H. An end-to-end convolutional network for joint detecting and denoising adversarial perturbations in vehicle classification. Comp. Visual Media 7, 217–227 (2021). https://doi.org/10.1007/s41095-021-0202-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41095-021-0202-3