Research PaperNo Access

An Ensemble Learning-Based Cooperative Defensive Architecture Against Adversarial Attacks

Tian Liu

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

Institution of Information Science and Engineering, Zaozhuang University, Zaozhuang 277160, P. R. China

Search for more papers by this author

Yunfei Song

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

Search for more papers by this author

Ming Hu

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

Search for more papers by this author

Jun Xia

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

Search for more papers by this author

Jianning Zhang

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

Search for more papers by this author

, and

Mingsong Chen

https://orcid.org/0000-0002-3922-0989

Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, P. R. China

E-mail Address: mschen@sei.ecnu.edu.cn

Corresponding author.

Search for more papers by this author

https://doi.org/10.1142/S0218126621500250Cited by:2 (Source: Crossref)

Abstract

Since Deep Neural Networks (DNNs) have been more and more widely used in safety-critical Intelligent System (IS) applications, the robustness of DNNs becomes a great concern in IS design. Due to the vulnerability of DNN models, adversarial examples generated by malicious attacks may result in disasters. Although there are plenty of defense methods for these adversarial attacks, existing methods can only resist special adversarial attacks. Meanwhile, the accuracy of existing methods degrades dramatically when they process nature examples. To address this problem, we propose an effective Cooperative Defensive Architecture (CDA) that can enhance the robustness of IS devices by integrating heterogeneous base classifiers. Because of the parallel mechanism in ensemble learning, the compressed heterogeneous base classifiers do not increase the prediction time on device. Comprehensive experimental results show that the modified DNNs by our approach cannot only resist adversarial examples more effectively than original model, but also achieve a high accuracy when they process nature examples.

This paper was recommended by Regional Editor Tongquan Wei.

Keywords:

References

1. R. Hadidi, J. Cao, M. S. Ryoo and H. Kim, Robustly executing DNNs in IoT systems using coded distributed computing, Design Automation Conf. (DAC), 2019, p. 234. Crossref, Google Scholar
2. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow and R. Fergus, Intriguing properties of neural networks, Int. Conf. Learning Representations (ICLR), 2014, pp. 1–10. Google Scholar
3. J. Su, D. V. Vargas and K. Sakurai, One pixel attack for fooling deep neural networks, IEEE Trans. Evolut. Comput. 23 (2019) 828–841. Crossref, Web of Science, Google Scholar
4. I. J. Goodfellow, J. Shlens and C. Szegedy, Explaining and harnessing adversarial examples, Int. Conf. Learning Representations (ICLR), 2015, pp. 1–11. Google Scholar
5. U. Hwang, J. Park, H. Jang, S. Yoon and N. I. Cho, Puvae: A variational autoencoder to purify adversarial examples, IEEE Access 7 (2019) 126582–126593. Crossref, Web of Science, Google Scholar
6. T. Pang, K. Xu, C. Du, N. Chen and J. Zhu, Improving adversarial robustness via promoting ensemble diversity, Int. Conf. Machine Learning (ICML) (2019), pp. 4970–4979. Google Scholar
7. Z. Lu and X. Xu, Deep compression: A compression technology for apron surveillance video, IEEE Access, 7 (2019) 129966–129974. Crossref, Web of Science, Google Scholar
8. X. Liu, J. Pool, S. Han and W. J. Dally, Efficient sparse-winograd convolutional neural networks, Int. Conf. Learning Representations, ICLR, 2018, pp. 1–10. Google Scholar
9. K. Pei, Y. Cao, J. Yang and S. Jana, Deepxplore: Automated whitebox testing of deep learning systems, Int. Symp. Operating Systems Principles (SOSP), 2017, pp. 1–18. Crossref, Google Scholar
10. C. M. Dourado Jr, S. P. P. da Silva, R. V. M. da Nóbrega, A. C. D. S. Barros, P. P. Rebouças Filho and V. H. C. de Albuquerque, Deep learning IoT system for online stroke detection in skull computed tomography images, Comput. Netw. 152 (2019) 25–39. Crossref, Web of Science, Google Scholar
11. L. Ma, F. Xu, F. Zhang, J. Sun, M. Xue, B. Li, C. Chen, T. Su, L. Li, Y. Liu, J. Zhao and Y. Wang, DeepGauge: Multi-granularity testing criteria for deep learning systems, Int. Conf. Automated Software Engineering (ASE), 2018, pp. 120–131. Crossref, Google Scholar
12. A. Kurakin, I. J. Goodfellow and S. Bengio, Adversarial examples in the physical world, Int. Conf. Learning Representations (ICLR), 2017, pp. 1–14. Google Scholar
13. J. Zhang and C. Li, Adversarial examples: Opportunities and challenges, arXiv: 1809.04790. Google Scholar
14. N. Akhtar and A. S. Mian, Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access 6 (2018) 14410–14430. Crossref, Web of Science, Google Scholar
15. C. Song, K. He, L. Wang and J. E. Hopcroft, Improving the generalization of adversarial training with domain adaptation, Int. Conf. Learning Representations (ICLR), 2019, pp. 1–14. Google Scholar
16. F. Tramèr, A. Kurakin, N. Papernot, I. J. Goodfellow, D. Boneh and P. McDaniel, Ensemble adversarial training: Attacks and defenses, Int. Conf. Learning Representations (ICLR), 2018, pp. 1–20. Google Scholar
17. W. Xu, D. Evans and Y. Qi, Feature squeezing: Detecting adversarial examples in deep neural networks, Network and Distributed Systems Security Symp. (NDSS), 2018, pp. 1–15. Crossref, Google Scholar
18. G. Huang, Z. Liu, L. van der Maaten and K. Q. Weinberger, Densely connected convolutional networks, IEEE Conf. Computer Vision and Pattern Recognition (CVPR), 2017, 2261–2269. Crossref, Google Scholar
19. N. Papernot, P. McDaniel, X. Wu, S. Jha and A. Swami, Distillation as a defense to adversarial perturbations against deep neural networks, IEEE Conf. Computer Vision and Pattern Recognition (CVPR), 2016, pp. 582–597. Crossref, Google Scholar
20. A. Slavin Ross and F. Doshi-Velez, Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients, AAAI Conf. Artificial Intelligence (AAAI), 2018, pp. 1660–1669. Google Scholar
21. G. E. Hinton, O. Vinyals and J. Dean, Distilling the knowledge in a neural network, arXiv:1503.02531. Google Scholar
22. Hoeffding and Wassily, Probability inequalities for sums of bounded random variables, J. Am. Stat. Assoc. 58 (1963) 13–30. Crossref, Web of Science, Google Scholar
23. A. Krizhevsky, V. Nair and G. Hinton, The CIFAR-10 dataset, http://www.cs.toronto.edu/∼kriz/cifar.html. Google Scholar