Skip to main content
SpringerLink
Log in

Adversarial Defense via Attention-Based Randomized Smoothing

  • Conference paper
  • First Online:
Artificial Neural Networks and Machine Learning – ICANN 2020 (ICANN 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12396))

Included in the following conference series:

  • 3108 Accesses

Abstract

Recent works have shown the effectiveness of randomized smoothing in adversarial defense. This paper presents a new understanding of randomized smoothing. Features that are vulnerable to noise are not conducive to the prediction of model under adversarial perturbations. An enhanced defense called Attention-based Randomized Smoothing (ARS) is proposed. Based on smoothed classifier, ARS designs a mixed attention module, which helps model merge smoothed feature with original feature and pay more attention to robust feature. The advantages of ARS are manifested in four ways: 1) Superior performance on both clean and adversarial samples. 2) Without pre-processing in inference. 3) Explicable attention map. 4) Compatible with other defense methods. Experiment results demonstrate that ARS achieves the state-of-the-art defense against adversarial attacks on MNIST and CIFAR-10 datasets, outperforming Salman’s defense when the attacks are limited to a maximum norm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Nguyen A., Yosinski, J., Clune, J.: Deep neural networks are easily fooled: high confidence predictions for unrecognizable images. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 427–436 (2015)

    Google Scholar 

  2. Cohen, J.M., Rosenfeld, E., Kolter, Z.: Certified adversarial robustness via randomized smoothing. arXiv preprint arXiv:1902.02918 (2019)

  3. Salman, H., et al.: Provably robust deep learning via adversarially trained smoothed classifiers. In: Advances in Neural Information Processing Systems, pp. 11289–11300 (2019)

    Google Scholar 

  4. Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A.: Adversarial examples are not bugs, they are features. arXiv preprint arXiv:1905.02175 (2019)

  5. Wu, S., et al.: Attention, please! adversarial defense via attention rectification and preservation. arXiv preprint arXiv:1811.09831 (2018)

  6. Goodman, D., Li, X., Huan, J., Wei, T.: Improving adversarial robustness via attention and adversarial logit pairing. arXiv preprint arXiv:1908.11435 (2019)

  7. Selvaraju, R.R., Cogswell, M., Das, A., Vedantam, R., Parikh, D., Batra, D.: Grad-cam: visual explanations from deep networks via gradient-based localization. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 618–626 (2017)

    Google Scholar 

  8. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)

  9. Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016)

  10. Rony, J., Hafemann, L.G., Oliveira, L.S., Ayed, I.B., Sabourin, R., Granger, E.: Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 4322–4330 (2019)

    Google Scholar 

  11. Kannan, H., Kurakin, A., Goodfellow, I.: Adversarial logit pairing. arXiv preprint arXiv:1803.06373 (2018)

  12. Xie, C., Wang, J., Zhang, Z., Ren, Z., Yuille, A.: Mitigating adversarial effects through randomization. arXiv preprint arXiv:1711.01991 (2017)

  13. Mustafa, A., Khan, S.H., Hayat, M., Shen, J., Shao, L.: Image super-resolution as a defense against adversarial attacks. arXiv preprint arXiv:1901.01677 (2019)

  14. Woo, S., Park, J., Lee, J.-Y., Kweon, I.S.: CBAM: convolutional block attention module. In: Proceedings of the European Conference on Computer Vision (ECCV), pp. 3–19 (2018)

    Google Scholar 

  15. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39–57. IEEE (2017)

    Google Scholar 

  16. Moosavi-Dezfooli, S.-M., Fawzi, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574–2582 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Cyber Science and Engineering, Southeast University, Nanjing, China

    Xiao Xu, Shiyu Feng, Zheng Wang & Yining Hu

  2. Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing, China

    Zheng Wang & Yining Hu

  3. Jiangsu Key Laboratory of Oral Diseases, Nanjing Medical University, Nanjing, China

    Lizhe Xie

  4. Institute of Stomatology, Nanjing Medical University, Nanjing, China

    Lizhe Xie

Authors
  1. Xiao Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shiyu Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lizhe Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yining Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yining Hu .

Editor information

Editors and Affiliations

  1. Department of Applied Informatics, Comenius University in Bratislava, Bratislava, Slovakia

    Igor Farkaš

  2. Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kgs. Lyngby, Denmark

    Paolo Masulli

  3. Department of Informatics, University of Hamburg, Hamburg, Germany

    Stefan Wermter

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xu, X., Feng, S., Wang, Z., Xie, L., Hu, Y. (2020). Adversarial Defense via Attention-Based Randomized Smoothing. In: Farkaš, I., Masulli, P., Wermter, S. (eds) Artificial Neural Networks and Machine Learning – ICANN 2020. ICANN 2020. Lecture Notes in Computer Science(), vol 12396. Springer, Cham. https://doi.org/10.1007/978-3-030-61609-0_36

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61609-0_36

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61608-3

  • Online ISBN: 978-3-030-61609-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation