Abstract
A one-pixel attack applies maliciously crafted and imperceptible perturbations on just one pixel or a few pixels in an image and can mislead a target deep learning classification model. Defending against this type of attack is a relatively unexplored development in adversarial defence. In this paper, we propose a Patch Selection Denoiser (PSD) approach that removes the few potential attacking pixels in local patches without changing many pixels in a whole image. Without clean training data, it can firstly add random impulse noises to a few images to produce huge amounts of noisy images as inputs and targets in a deep residual network. Next, we can obtain a denoising model based on the Noise2Noise framework. Finally, we design a patch selection algorithm to scan a denoised image in a patch window and compare it with the corresponding part on the test image. Only the patch whose number of pixels with significant absolute difference exceeds a threshold will be detected as the local part containing potential attacking pixels. Thus, this patch will be replaced by the part in the denoised image. Evaluating our approach on a public image dataset CIFAR-10 demonstrates that it can successfully defend against one-, three-, five-pixel and JSMA attacks 98.6%, 98.0%, 97.8% and 98.9% of the time, respectively. Meanwhile, it brings almost no side effects on clean images not subject to one-pixel attacks. The state-of-the-art high defence accuracy proves the effectiveness of our approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)
Das, S., Suganthan, P.N.: Differential evolution: a survey of the state-of-the-art. IEEE Trans. Evol. Comput. 15(1), 4–31 (2011)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)
Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016)
Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430 (2018)
Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. (2019)
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 372–387. IEEE, March 2016
Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1765–1773 (2017)
Lehtinen, J., et al.: Noise2Noise: learning image restoration without clean data. arXiv preprint arXiv:1803.04189 (2018)
Ledig, C., et al.: Photo-realistic single image super-resolution using a generative adversarial network. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4681–4690 (2017)
Moosavi-Dezfooli, S.-M., Fawzi, A., Frossard, P.: Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2016)
Baluja, S., Fischer, I.: Adversarial transformation networks: learning to generate adversarial examples. arXiv preprint arXiv:1703.09387 (2017)
Kumar, B.K.S.: Image denoising based on non-local means filter and its method noise thresholding. Signal Image Video Process. 7(6), 1211–1227 (2013)
Zhang, J., Zhao, D., Gao, W.: Group-based sparse representation for image restoration. IEEE Trans. Image Process. 23(8), 3336–3351 (2014)
Xu, J., Zhang, L., Zuo, W., Zhang, D., Feng, X.: Patch group based nonlocal self-similarity prior learning for image denoising. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 244–252 (2015)
Gu, S., Zhang, L., Zuo, W., Feng, X.: Weighted nuclear norm minimization with application to image denoising. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2862–2869 (2014)
Lefkimmiatis, S.: Universal denoising networks: a novel CNN architecture for image denoising. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2018)
Plötz, T., Roth, S.: Neural nearest neighbors networks. In: Advances in Neural Information Processing Systems (2018)
Krull, A., Tim-Oliver, B., Jug, F.: Noise2Void-Learning Denoising from Single Noisy Images. arXiv preprint arXiv:1811.10980 (2018)
Gross, S., Michael, W.: Training and investigating residual nets. Facebook AI Research (2016)
Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images, vol. 1. no. 4. Technical report, University of Toronto (2009)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)
Acknowledgement
This research was supported by the National Key R&D Program of China under grant No. 2018YFB1702703, and also supported by the National Natural Science Foundation of China under grant No. U1531122, 71871170 and 61272272.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, D., Xu, R., Han, B. (2019). Patch Selection Denoiser: An Effective Approach Defending Against One-Pixel Attacks. In: Gedeon, T., Wong, K., Lee, M. (eds) Neural Information Processing. ICONIP 2019. Communications in Computer and Information Science, vol 1143. Springer, Cham. https://doi.org/10.1007/978-3-030-36802-9_31
Download citation
DOI: https://doi.org/10.1007/978-3-030-36802-9_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36801-2
Online ISBN: 978-3-030-36802-9
eBook Packages: Computer ScienceComputer Science (R0)