Abstract
Despite the excellent classification performance, recent research has revealed that the Convolutional Neural Network (CNN) could be readily deceived by only the small adversarial perturbation. Its imperceptible to human eyes and transferability from one model to another actually threaten the security of a CNN-based system. In this paper, we propose to create multiple and independent random binary codes per input class and train ensemble of homogeneous CNN classifiers with these codes to improve the adversarial robustness of the networks. The proposed ensemble structure consists of replicas of the same learning architecture, but each network is trained with different random target outputs. The network model is simultaneously trained with their own unique binary codes, and optimized through a single and common objective function in an end-to-end manner. It is demonstrated with experimental results that assigning different encoded labels for each classifier in ensemble leverages the diversity and eventually improves the classification performance on adversarial attacks. We also conduct several performance analysis to understand how the different aspects can contribute to the robustness of the proposed algorithm. The proposed algorithm provides significantly improved classification accuracies as compared to the recent relevant studies, verified with various network architectures, datasets, and adversarial attacks.
Highlights
Convolutional Neural Network (CNN) has been extensively employed in computer vision problems including image classification due to its proven effectiveness [1]
We discover that providing random binary codebooks for each ensemble model is sufficient to promote diversity despite using a single CNN architecture as an ensemble classifier
In this paper, we addressed the fragility of current CNNs against adversarial attacks
Summary
Convolutional Neural Network (CNN) has been extensively employed in computer vision problems including image classification due to its proven effectiveness [1]. Other major approaches to handle the adversarial examples make attackers difficult to choose the harmful gradient direction To achieve this goal, some preliminary works transform the output encodings of CNNs by increasing its dimension or randomizing target representations [7], [8]. We propose a random binary ensemble model that exploits multiple binary encoded labels to improve adversarial robustness of CNN to white-box attack models. We discover that providing random binary codebooks for each ensemble model is sufficient to promote diversity despite using a single CNN architecture as an ensemble classifier With this powerful combination, we examine that it is unnecessary to include adversarial examples in the training dataset as in most of the other defenses [12], [16], [17]. Once the generation of the codebook is completed, the target output is used for training an individual CNN
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
