Skip to main content
SpringerLink
Log in

VectorDefense: Vectorization as a Defense to Adversarial Examples

  • Chapter
  • First Online:
Soft Computing for Biomedical Applications and Related Topics

Part of the book series: Studies in Computational Intelligence ((SCI,volume 899))

Abstract

Training deep neural networks on images represented as grids of pixels has brought to light an interesting phenomenon known as adversarial examples. Inspired by how humans reconstruct abstract concepts, we attempt to codify the input bitmap image into a set of compact, interpretable elements to avoid being fooled by the adversarial structures. We take the first step in this direction by experimenting with image vectorization as an input transformation step to map the adversarial examples back into the natural manifold of MNIST handwritten digits. We compare our method vs. state-of-the-art input transformations and further discuss the trade-offs between a hand-designed and a learned transformation defense.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We use clean and real images interchangeably to refer to real dataset examples (without any perturbations).

  2. 2.

    http://potrace.sourceforge.net/.

  3. 3.

    https://inkscape.org/.

References

  1. Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. arXiv preprint arXiv:1801.00553 (2018)

  2. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420 (2018)

  3. Birdal, T., Bala, E.: A novel method for vectorization. arXiv preprint arXiv:1403.0728 (2014)

  4. Carlini, N., Wagner, D.: Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311 (2016)

  5. Carlini, N., Wagner, D.: Adversarial examples are not easily detected: bypassing ten detection methods. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 3–14. ACM (2017)

    Google Scholar 

  6. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy, SP, pp. 39–57. IEEE (2017)

    Google Scholar 

  7. Chen, P.-Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.-J.: Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15–26. ACM (2017)

    Google Scholar 

  8. Douglas, D.H., Peucker, T.K.: Algorithms for the reduction of the number of points required to represent a digitized line or its caricature. Cartographica Int. J. Geographic Inf. Geovisualization 10(2), 112–122 (1973)

    Article  Google Scholar 

  9. Gilmer, J., et al.: Adversarial spheres. arXiv preprint arXiv:1801.02774 (2018)

  10. Goodfellow, I., et al.: Generative adversarial nets. In: Advances in neural information processing systems, pp. 2672–2680 (2014)

    Google Scholar 

  11. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

  12. Guo, C., Rana, M., Cissé, M., van der Maaten, L.: Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117 (2017)

  13. Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Query-efficient black-box adversarial examples. arXiv preprint arXiv:1712.07113 (2017)

  14. Ilyas, A., Jalal, A., Asteri, E., Daskalakis, C., Dimakis, A.G.: The robust manifold defense: adversarial training using generative models. arXiv preprint arXiv:1712.09196 (2017)

  15. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)

  16. Krishna, R.: Visual genome: connecting language and vision using crowdsourced dense image annotations (2016)

    Google Scholar 

  17. Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016)

  18. LeCun, Y.: The mnist database of handwritten digits (1998). http://yann.lecun.com/exdb/mnist/

  19. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)

  20. Meng, D., Chen, H.: Magnet: a two-pronged defense against adversarial examples. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135–147. ACM (2017)

    Google Scholar 

  21. Miyato, T., Maeda, S.-i., Koyama, M., Nakae, K., Ishii, S.: Distributional smoothing with virtual adversarial training. arXiv preprint arXiv:1507.00677 (2015)

  22. Moosavi Dezfooli, S.M., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR (2016). number EPFL-CONF-218057

    Google Scholar 

  23. Nguyen, A., Clune, J., Bengio, Y., Dosovitskiy, A., Yosinski, J.: Plug & play generative networks: conditional iterative generation of images in latent space. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. IEEE (2017)

    Google Scholar 

  24. Nguyen, A., Dosovitskiy, A., Yosinski, T., Brox, J., Clune, J.: Synthesizing the preferred inputs for neurons in neural networks via deep generator networks. In: NIPS 29 (2016)

    Google Scholar 

  25. Nguyen, A., Yosinski, J., Clune, J.: Deep neural networks are easily fooled: high confidence predictions for unrecognizable images. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 427–436 (2015)

    Google Scholar 

  26. Papernot, N., et al.: cleverhans v2. 0.0: an adversarial machine learning library. arXiv preprint arXiv:1610.00768 (2016)

  27. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 506–519. ACM (2017)

    Google Scholar 

  28. Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy, EuroS&P, pp. 372–387. IEEE (2016)

    Google Scholar 

  29. Ramer, U.: An iterative procedure for the polygonal approximation of plane curves. Computer graphics and image processing 1(3), 244–256 (1972)

    Article  Google Scholar 

  30. Samangouei, P., Kabkab, M., Chellappa, R.: Defense-gan: Protecting classifiers against adversarial attacks using generative models (2018)

    Google Scholar 

  31. Selinger, P.: Potrace: a polygon-based tracing algorithm. Potrace (2003). http://potrace.sourceforge.net/potrace.pdf. 01 July 2009

  32. Shen, S., Jin, G., Gao, K., Zhang, Y.: Ape-gan: adversarial perturbation elimination with gan. ICLR Submission, available on OpenReview (2017)

    Google Scholar 

  33. Smith, L., Gal, Y.: Understanding measures of uncertainty for adversarial example detection. arXiv preprint arXiv:1803.08533 (2018)

  34. Song, Y., Kim, T., Nowozin, S., Ermon, S., Kushman, N.: Pixeldefend: leveraging generative models to understand and defend against adversarial examples. arXiv preprint arXiv:1710.10766 (2017)

  35. Su, J., Vargas, D.V., Kouichi, S.: One pixel attack for fooling deep neural networks. arXiv preprint arXiv:1710.08864 (2017)

  36. Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

  37. Tramèr, F., Kurakin, A., Papernot, N., Boneh, D., McDaniel, P.: Ensemble adversarial training: attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)

  38. Wu, J., Tenenbaum, J.B., Kohli, P.: Neural scene de-rendering. In: Proceedings CVPR, vol. 2 (2017)

    Google Scholar 

  39. Xu, W., Evans, D., Qi, Y.: Feature squeezing: detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017)

  40. Yuan, X., He, P., Zhu, Q., Bhat, R.R., Li, X.: Adversarial examples: attacks and defenses for deep learning. arXiv preprint arXiv:1712.07107 (2017)

  41. Zhu, J.-Y., Krähenbühl, P., Shechtman, E., Efros, A.A.: Generative visual manipulation on the natural image manifold. In: European Conference on Computer Vision, pp. 597–613. Springer (2016)

    Google Scholar 

Download references

Acknowledgements

We thank Zhitao Gong, Chengfei Wang for feedback on the drafts; and Nicholas Carlini and Nicolas Papernot for helpful discussions.

Author information

Authors and Affiliations

  1. Auburn University, Auburn, USA

    Vishaal Munusamy Kabilan, Brandon Morris & Anh Nguyen

  2. Thang Long University, Hanoi, Vietnam

    Hoang-Phuong Nguyen

Authors
  1. Vishaal Munusamy Kabilan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Brandon Morris
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hoang-Phuong Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anh Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anh Nguyen .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Texas at El Paso, El Paso, TX, USA

    Vladik Kreinovich

  2. Informatics Division, Thang Long University, Hanoi, Vietnam

    Nguyen Hoang Phuong

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Kabilan, V.M., Morris, B., Nguyen, HP., Nguyen, A. (2021). VectorDefense: Vectorization as a Defense to Adversarial Examples. In: Kreinovich, V., Hoang Phuong, N. (eds) Soft Computing for Biomedical Applications and Related Topics. Studies in Computational Intelligence, vol 899. Springer, Cham. https://doi.org/10.1007/978-3-030-49536-7_3

Download citation

Publish with us

Policies and ethics

Search

Navigation