当前位置:
X-MOL 学术
›
arXiv.cs.AI
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Structure-Preserving Progressive Low-rank Image Completion for Defending Adversarial Attacks
arXiv - CS - Artificial Intelligence Pub Date : 2021-03-04 , DOI: arxiv-2103.02781 Zhiqun Zhao, Hengyou Wang, Hao Sun, Zhihai He
arXiv - CS - Artificial Intelligence Pub Date : 2021-03-04 , DOI: arxiv-2103.02781 Zhiqun Zhao, Hengyou Wang, Hao Sun, Zhihai He
Deep neural networks recognize objects by analyzing local image details and
summarizing their information along the inference layers to derive the final
decision. Because of this, they are prone to adversarial attacks. Small
sophisticated noise in the input images can accumulate along the network
inference path and produce wrong decisions at the network output. On the other
hand, human eyes recognize objects based on their global structure and semantic
cues, instead of local image textures. Because of this, human eyes can still
clearly recognize objects from images which have been heavily damaged by
adversarial attacks. This leads to a very interesting approach for defending
deep neural networks against adversarial attacks. In this work, we propose to
develop a structure-preserving progressive low-rank image completion (SPLIC)
method to remove unneeded texture details from the input images and shift the
bias of deep neural networks towards global object structures and semantic
cues. We formulate the problem into a low-rank matrix completion problem with
progressively smoothed rank functions to avoid local minimums during the
optimization process. Our experimental results demonstrate that the proposed
method is able to successfully remove the insignificant local image details
while preserving important global object structures. On black-box, gray-box,
and white-box attacks, our method outperforms existing defense methods (by up
to 12.6%) and significantly improves the adversarial robustness of the network.
中文翻译:
保卫渐进式低阶图像完成防御对抗攻击
深度神经网络通过分析局部图像细节并沿推理层汇总其信息来得出最终决策,从而识别出对象。因此,他们容易受到对抗攻击。输入图像中的少量复杂噪声会沿着网络推理路径累积,并在网络输出端产生错误的决策。另一方面,人眼根据对象的全局结构和语义提示而不是局部图像纹理来识别对象。因此,人眼仍然可以从图像中清楚地识别出物体,这些图像已受到对抗性攻击的严重破坏。这导致了一种非常有趣的方法来防御深度神经网络免受对抗性攻击。在这项工作中,我们建议开发一种保留结构的渐进低阶图像完成(SPLIC)方法,以从输入图像中删除不需要的纹理细节,并将深层神经网络的偏向转向全局对象结构和语义线索。我们将该问题公式化为具有逐步平滑的秩函数的低秩矩阵完成问题,以避免在优化过程中出现局部最小值。我们的实验结果表明,所提出的方法能够成功删除不重要的局部图像细节,同时保留重要的全局对象结构。在黑盒,灰盒和白盒攻击中,我们的方法优于现有防御方法(最多提高12.6%),并显着提高了网络的对抗性。
更新日期:2021-03-05
中文翻译:
保卫渐进式低阶图像完成防御对抗攻击
深度神经网络通过分析局部图像细节并沿推理层汇总其信息来得出最终决策,从而识别出对象。因此,他们容易受到对抗攻击。输入图像中的少量复杂噪声会沿着网络推理路径累积,并在网络输出端产生错误的决策。另一方面,人眼根据对象的全局结构和语义提示而不是局部图像纹理来识别对象。因此,人眼仍然可以从图像中清楚地识别出物体,这些图像已受到对抗性攻击的严重破坏。这导致了一种非常有趣的方法来防御深度神经网络免受对抗性攻击。在这项工作中,我们建议开发一种保留结构的渐进低阶图像完成(SPLIC)方法,以从输入图像中删除不需要的纹理细节,并将深层神经网络的偏向转向全局对象结构和语义线索。我们将该问题公式化为具有逐步平滑的秩函数的低秩矩阵完成问题,以避免在优化过程中出现局部最小值。我们的实验结果表明,所提出的方法能够成功删除不重要的局部图像细节,同时保留重要的全局对象结构。在黑盒,灰盒和白盒攻击中,我们的方法优于现有防御方法(最多提高12.6%),并显着提高了网络的对抗性。