The emergence of adversarial examples has revealed the inadequacies in the robustness of image classification models based on Convolutional Neural Networks (CNNs). Particularly in recent years, the discovery of natura...The emergence of adversarial examples has revealed the inadequacies in the robustness of image classification models based on Convolutional Neural Networks (CNNs). Particularly in recent years, the discovery of natural adversarial examples has posed significant challenges, as traditional defense methods against adversarial attacks have proven to be largely ineffective against these natural adversarial examples. This paper explores defenses against these natural adversarial examples from three perspectives: adversarial examples, model architecture, and dataset. First, it employs Class Activation Mapping (CAM) to visualize how models classify natural adversarial examples, identifying several typical attack patterns. Next, various common CNN models are analyzed to evaluate their susceptibility to these attacks, revealing that different architectures exhibit varying defensive capabilities. The study finds that as the depth of a network increases, its defenses against natural adversarial examples strengthen. Lastly, Finally, the impact of dataset class distribution on the defense capability of models is examined, focusing on two aspects: the number of classes in the training set and the number of predicted classes. This study investigates how these factors influence the model’s ability to defend against natural adversarial examples. Results indicate that reducing the number of training classes enhances the model’s defense against natural adversarial examples. Additionally, under a fixed number of training classes, some CNN models show an optimal range of predicted classes for achieving the best defense performance against these adversarial examples.展开更多
In recent years,defending against adversarial examples has gained significant importance,leading to a growing body of research in this area.Among these studies,pre-processing defense approaches have emerged as a promi...In recent years,defending against adversarial examples has gained significant importance,leading to a growing body of research in this area.Among these studies,pre-processing defense approaches have emerged as a prominent research direction.However,existing adversarial example pre-processing techniques often employ a single pre-processing model to counter different types of adversarial attacks.Such a strategy may miss the nuances between different types of attacks,limiting the comprehensiveness and effectiveness of the defense strategy.To address this issue,we propose a divide-and-conquer reconstruction pre-processing algorithm via multi-classification and multi-network training to more effectively defend against different types of mainstream adversarial attacks.The premise and challenge of the divide-and-conquer reconstruction defense is to distinguish between multiple types of adversarial attacks.Our method designs an adversarial attack classification module that exploits the high-frequency information differences between different types of adversarial examples for their multi-classification,which can hardly be achieved by existing adversarial example detection methods.In addition,we construct a divide-and-conquer reconstruction module that utilizes different trained image reconstruction models for each type of adversarial attack,ensuring optimal defense effectiveness.Extensive experiments show that our proposed divide-and-conquer defense algorithm exhibits superior performance compared to state-of-the-art pre-processing methods.展开更多
文摘The emergence of adversarial examples has revealed the inadequacies in the robustness of image classification models based on Convolutional Neural Networks (CNNs). Particularly in recent years, the discovery of natural adversarial examples has posed significant challenges, as traditional defense methods against adversarial attacks have proven to be largely ineffective against these natural adversarial examples. This paper explores defenses against these natural adversarial examples from three perspectives: adversarial examples, model architecture, and dataset. First, it employs Class Activation Mapping (CAM) to visualize how models classify natural adversarial examples, identifying several typical attack patterns. Next, various common CNN models are analyzed to evaluate their susceptibility to these attacks, revealing that different architectures exhibit varying defensive capabilities. The study finds that as the depth of a network increases, its defenses against natural adversarial examples strengthen. Lastly, Finally, the impact of dataset class distribution on the defense capability of models is examined, focusing on two aspects: the number of classes in the training set and the number of predicted classes. This study investigates how these factors influence the model’s ability to defend against natural adversarial examples. Results indicate that reducing the number of training classes enhances the model’s defense against natural adversarial examples. Additionally, under a fixed number of training classes, some CNN models show an optimal range of predicted classes for achieving the best defense performance against these adversarial examples.
基金supported by the Science and Technology Innovation Program of Hunan Province(No.2022GK5002,2024JK2015,2024JJ5440)the Special Foundation for Distinguished Young Scientists of Changsha(No.kq2209003)+2 种基金the Foreign Expert Project of China(No.G2023041039L)the 111 Project(No.D23006)in part by the High Performance Computing Center of Central South University.
文摘In recent years,defending against adversarial examples has gained significant importance,leading to a growing body of research in this area.Among these studies,pre-processing defense approaches have emerged as a prominent research direction.However,existing adversarial example pre-processing techniques often employ a single pre-processing model to counter different types of adversarial attacks.Such a strategy may miss the nuances between different types of attacks,limiting the comprehensiveness and effectiveness of the defense strategy.To address this issue,we propose a divide-and-conquer reconstruction pre-processing algorithm via multi-classification and multi-network training to more effectively defend against different types of mainstream adversarial attacks.The premise and challenge of the divide-and-conquer reconstruction defense is to distinguish between multiple types of adversarial attacks.Our method designs an adversarial attack classification module that exploits the high-frequency information differences between different types of adversarial examples for their multi-classification,which can hardly be achieved by existing adversarial example detection methods.In addition,we construct a divide-and-conquer reconstruction module that utilizes different trained image reconstruction models for each type of adversarial attack,ensuring optimal defense effectiveness.Extensive experiments show that our proposed divide-and-conquer defense algorithm exhibits superior performance compared to state-of-the-art pre-processing methods.
