Lund University Publications

CNN adversarial attack mitigation using perturbed samples training

• Mark

Abstract

Susceptibility to adversarial examples is one of the major concerns in convolutional neural networks (CNNs) applications. Training the model with adversarial examples, known as adversarial training, is a common countermeasure to tackle such attacks. In reality, however, defenders are uninformed about how adversarial examples are generated by the attacker. Therefore, it is pivotal to utilize more general alternatives to intrinsically improve the robustness of models. For this purpose, we train CNNs with perturbed samples manipulated by various transformations and contaminated by different noises to foster robustness of networks against adversarial attacks. This idea derived from the fact that both adversarial and noisy samples undermine the... (More)

Susceptibility to adversarial examples is one of the major concerns in convolutional neural networks (CNNs) applications. Training the model with adversarial examples, known as adversarial training, is a common countermeasure to tackle such attacks. In reality, however, defenders are uninformed about how adversarial examples are generated by the attacker. Therefore, it is pivotal to utilize more general alternatives to intrinsically improve the robustness of models. For this purpose, we train CNNs with perturbed samples manipulated by various transformations and contaminated by different noises to foster robustness of networks against adversarial attacks. This idea derived from the fact that both adversarial and noisy samples undermine the classifier accuracy. We propose combination of a convolutional denoising autoencoder with a classifier (CDAEC) as a defensive structure. The proposed method does not add to the computational cost. Experimental results on MNIST database demonstrate that the accuracy of CDAEC trained by perturbed samples against adversarial attacks was more than 71.29%. (Less)