A Novel Adversarial Example Detection Method Based on Frequency Domain Reconstruction for Image Sensors
Author:
Huang Shuaina123, Zhang Zhiyong123ORCID, Song Bin123
Affiliation:
1. Information Engineering College, Henan University of Science and Technology, Luoyang 471023, China 2. Henan International Joint Laboratory of Cyberspace Security Applications, Henan University of Science and Technology, Luoyang 471023, China 3. Henan Intelligent Manufacturing Big Data Development Innovation Laboratory, Henan University of Science and Technology, Luoyang 471023, China
Abstract
Convolutional neural networks (CNNs) have been extensively used in numerous remote sensing image detection tasks owing to their exceptional performance. Nevertheless, CNNs are often vulnerable to adversarial examples, limiting the uses in different safety-critical scenarios. Recently, how to efficiently detect adversarial examples and improve the robustness of CNNs has drawn considerable focus. The existing adversarial example detection methods require modifying CNNs, which not only affects the model performance but also greatly enhances training cost. With the purpose of solving these problems, this study proposes a detection algorithm for adversarial examples that does not need modification of the CNN models and can simultaneously retain the classification accuracy of normal examples. Specifically, we design a method to detect adversarial examples using frequency domain reconstruction. After converting the input adversarial examples into the frequency domain by Fourier transform, the adversarial disturbance from adversarial attacks can be eliminated by modifying the frequency of the example. The inverse Fourier transform is then used to maximize the recovery of the original example. Firstly, we train a CNN to reconstruct input examples. Then, we insert Fourier transform, convolution operation, and inverse Fourier transform into the features of the input examples to automatically filter out adversarial frequencies. We refer to our proposed method as FDR (frequency domain reconstruction), which removes adversarial interference by converting input samples into frequency and reconstructing them back into the spatial domain to restore the image. In addition, we also introduce gradient masking into the proposed FDR method to enhance the detection accuracy of the model for complex adversarial examples. We conduct extensive experiments on five mainstream adversarial attacks on three benchmark datasets, and the experimental results show that FDR can outperform state-of-the-art solutions in detecting adversarial examples. Additionally, FDR does not require any modifications to the detector and can be integrated with other adversarial example detection methods to be installed in sensing devices to ensure detection safety.
Funder
National Natural Science Foundation of China Project of Leading Talents in Science and Technology Innovation in Henan Province Program for Henan Province Key Science and Technology Henan Province University Key Scientific Research Project
Reference53 articles.
1. Machine learning and data mining in manufacturing;Dogan;Expert Syst. Appl.,2021 2. Tang, K., Ma, Y., Miao, D., Song, P., Gu, Z., Tian, Z., and Wang, W. (2022). Decision fusion networks for image classification. IEEE Trans. Neural Netw. Learn. Syst., 1–14. 3. Swin transformer with multiscale 3D atrous convolution for hyperspectral image classification;Farooque;Eng. Appl. Artif. Intell.,2023 4. Xu, Y., Yang, X., Gong, L., Lin, H.-C., Wu, T.-Y., Li, Y., and Vasconcelos, N. (2020, January 13–19). Explainable object-induced action decision for autonomous vehicles. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA. 5. Application of convolutional neural network in dynamic gesture tracking;Dongjie;J. Front. Comput. Sci. Technol.,2020
|
|