EEJE: Two-Step Input Transformation for Robust DNN against Adversarial Examples

Seok Hwan Choi; Jinmyeong Shin; Peng Liu; Yoon Ho Choi

doi:10.1109/TNSE.2020.3008394

EEJE: Two-Step Input Transformation for Robust DNN against Adversarial Examples

Seok Hwan Choi, Jinmyeong Shin, Peng Liu, Yoon Ho Choi

Research output: Contribution to journal › Article › peer-review

9 Scopus citations

Abstract

Adversarial examples are human-imperceptible perturbations to inputs to machine learning models. While attacking machine learning models, adversarial examples cause the model to make a false positive or a false negative. So far, two representative defense architectures have shown a significant effect: (1) model retraining architecture; and (2) input transformation architecture. However, previous defense methods belonging to these two architectures do not produce good outputs for every input, i.e., adversarial examples and legitimate inputs. Specifically, model retraining methods generate false negatives for unknown adversarial examples, and input transformation methods generate false positives for legitimate inputs. To produce good-enough outputs for every input, we propose and evaluate a new input transformation architecture based on two-step input transformation. To solve the limitations of the previous two defense methods, we intend to answer the following question: How to maintain the performance of Deep Neural Network (DNN) models for legitimate inputs while providing good robustness against various adversarial examples? From the evaluation results under various conditions, we show that the proposed two-step input transformation architecture provides good robustness to DNN models against state-of-the-art adversarial perturbations, while maintaining the high accuracy even for legitimate inputs.

Original language	English (US)
Article number	9138779
Pages (from-to)	908-920
Number of pages	13
Journal	IEEE Transactions on Network Science and Engineering
Volume	8
Issue number	2
DOIs	https://doi.org/10.1109/TNSE.2020.3008394
State	Published - Apr 1 2021

All Science Journal Classification (ASJC) codes

Control and Systems Engineering
Computer Science Applications
Computer Networks and Communications

Access to Document

10.1109/TNSE.2020.3008394

Cite this

@article{82d3f064c433498da70f8ec4740fc98e,

title = "EEJE: Two-Step Input Transformation for Robust DNN against Adversarial Examples",

abstract = "Adversarial examples are human-imperceptible perturbations to inputs to machine learning models. While attacking machine learning models, adversarial examples cause the model to make a false positive or a false negative. So far, two representative defense architectures have shown a significant effect: (1) model retraining architecture; and (2) input transformation architecture. However, previous defense methods belonging to these two architectures do not produce good outputs for every input, i.e., adversarial examples and legitimate inputs. Specifically, model retraining methods generate false negatives for unknown adversarial examples, and input transformation methods generate false positives for legitimate inputs. To produce good-enough outputs for every input, we propose and evaluate a new input transformation architecture based on two-step input transformation. To solve the limitations of the previous two defense methods, we intend to answer the following question: How to maintain the performance of Deep Neural Network (DNN) models for legitimate inputs while providing good robustness against various adversarial examples? From the evaluation results under various conditions, we show that the proposed two-step input transformation architecture provides good robustness to DNN models against state-of-the-art adversarial perturbations, while maintaining the high accuracy even for legitimate inputs.",

author = "Choi, {Seok Hwan} and Jinmyeong Shin and Peng Liu and Choi, {Yoon Ho}",

note = "Funding Information: Manuscript received March 29, 2020; revised June 30, 2020; accepted July 5, 2020. Date of publication July 10, 2020; date of current version July 7, 2021. This work was supported by basic science research program through national research foundation Korea (NRF) funded by the ministry of science, ICT and future planning, Republic of Korea (NRF-2018R1D1A3B07043392) and LG Yonam Foundation (of Korea). Peng Liu was partially supported by ARO W911NF-13-1-0421 (MURI). Recommended for acceptance by Dr. Zhihong Tian. (Corresponding author: Yoon-Ho Choi.) Seok-Hwan Choi, Jinmyeong Shin, and Yoon-Ho Choi are with the School of Computer Science and Engineering, Pusan National University, Busan 46241, South Korea (e-mail: [email protected]; [email protected]; [email protected]). Publisher Copyright: {\textcopyright} 2013 IEEE.",

year = "2021",

month = apr,

day = "1",

doi = "10.1109/TNSE.2020.3008394",

language = "English (US)",

volume = "8",

pages = "908--920",

journal = "IEEE Transactions on Network Science and Engineering",

issn = "2327-4697",

publisher = "IEEE Computer Society",

number = "2",

}

TY - JOUR

T1 - EEJE

T2 - Two-Step Input Transformation for Robust DNN against Adversarial Examples

AU - Choi, Seok Hwan

AU - Shin, Jinmyeong

AU - Liu, Peng

AU - Choi, Yoon Ho

N1 - Funding Information: Manuscript received March 29, 2020; revised June 30, 2020; accepted July 5, 2020. Date of publication July 10, 2020; date of current version July 7, 2021. This work was supported by basic science research program through national research foundation Korea (NRF) funded by the ministry of science, ICT and future planning, Republic of Korea (NRF-2018R1D1A3B07043392) and LG Yonam Foundation (of Korea). Peng Liu was partially supported by ARO W911NF-13-1-0421 (MURI). Recommended for acceptance by Dr. Zhihong Tian. (Corresponding author: Yoon-Ho Choi.) Seok-Hwan Choi, Jinmyeong Shin, and Yoon-Ho Choi are with the School of Computer Science and Engineering, Pusan National University, Busan 46241, South Korea (e-mail: [email protected]; [email protected]; [email protected]). Publisher Copyright: © 2013 IEEE.

PY - 2021/4/1

Y1 - 2021/4/1

N2 - Adversarial examples are human-imperceptible perturbations to inputs to machine learning models. While attacking machine learning models, adversarial examples cause the model to make a false positive or a false negative. So far, two representative defense architectures have shown a significant effect: (1) model retraining architecture; and (2) input transformation architecture. However, previous defense methods belonging to these two architectures do not produce good outputs for every input, i.e., adversarial examples and legitimate inputs. Specifically, model retraining methods generate false negatives for unknown adversarial examples, and input transformation methods generate false positives for legitimate inputs. To produce good-enough outputs for every input, we propose and evaluate a new input transformation architecture based on two-step input transformation. To solve the limitations of the previous two defense methods, we intend to answer the following question: How to maintain the performance of Deep Neural Network (DNN) models for legitimate inputs while providing good robustness against various adversarial examples? From the evaluation results under various conditions, we show that the proposed two-step input transformation architecture provides good robustness to DNN models against state-of-the-art adversarial perturbations, while maintaining the high accuracy even for legitimate inputs.

AB - Adversarial examples are human-imperceptible perturbations to inputs to machine learning models. While attacking machine learning models, adversarial examples cause the model to make a false positive or a false negative. So far, two representative defense architectures have shown a significant effect: (1) model retraining architecture; and (2) input transformation architecture. However, previous defense methods belonging to these two architectures do not produce good outputs for every input, i.e., adversarial examples and legitimate inputs. Specifically, model retraining methods generate false negatives for unknown adversarial examples, and input transformation methods generate false positives for legitimate inputs. To produce good-enough outputs for every input, we propose and evaluate a new input transformation architecture based on two-step input transformation. To solve the limitations of the previous two defense methods, we intend to answer the following question: How to maintain the performance of Deep Neural Network (DNN) models for legitimate inputs while providing good robustness against various adversarial examples? From the evaluation results under various conditions, we show that the proposed two-step input transformation architecture provides good robustness to DNN models against state-of-the-art adversarial perturbations, while maintaining the high accuracy even for legitimate inputs.

UR - http://www.scopus.com/inward/record.url?scp=85112247583&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85112247583&partnerID=8YFLogxK

U2 - 10.1109/TNSE.2020.3008394

DO - 10.1109/TNSE.2020.3008394

M3 - Article

AN - SCOPUS:85112247583

SN - 2327-4697

VL - 8

SP - 908

EP - 920

JO - IEEE Transactions on Network Science and Engineering

JF - IEEE Transactions on Network Science and Engineering

IS - 2

M1 - 9138779

ER -

EEJE: Two-Step Input Transformation for Robust DNN against Adversarial Examples

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this