Abstract
We develop a new method for defending deep neural networks against attacks using adversarial dual network learning with randomized nonlinear image transform. We introduce a randomized nonlinear transform to disturb and partially destroy the sophisticated pattern of attack noise. We then design a generative cleaning network to recover the original image content damaged by this nonlinear transform and remove residual attack noise. We also construct a detector network which serves as the dual network for the target classifier to be defended, being able to detect patterns of attack noise. The generative cleaning network and detector network are jointly trained using adversarial learning, fighting against each other to minimize both perceptual loss and adversarial loss. Our extensive experimental results demonstrate that our approach improves the state-of-art by large margins in both white-box and black-box attacks. It significantly improves the classification accuracy for white-box attacks upon the second best method by more than 30% on the SVHN dataset and more than 14% on the challenging CIFAR-10 dataset.
Highlights
Deep Deep neural networks are sensitive to adversarial attacks [1]
We explore a new approach to defending deep neural networks using adversarial dual network learning with randomized nonlinear image transform
(1) We have proposed a new and unique approach for deep neural network defense using adversarial dual network learning with randomized nonlinear transform of the attacked images
Summary
Deep Deep neural networks are sensitive to adversarial attacks [1]. Very small changes of the input image can fool the state-of-art classifier with very high success probabilities. We explore a new approach to defending deep neural networks using adversarial dual network learning with randomized nonlinear image transform. The attack methods often generate attack noise patterns by exploring the specific structure or classification behavior of the target deep neural network so that the small noise at the input layer can accumulate along the network inference layers, exceed the decision threshold at the output layer, and result in false decision. The key issue in network defense is to randomize or destroy the sophisticated pattern of the attack noise while recovering the original image content. (1) We have proposed a new and unique approach for deep neural network defense using adversarial dual network learning with randomized nonlinear transform of the attacked images.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
