Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Evaluation of Defense Methods Against the One-Pixel Attack on Deep Neural Networks
Blekinge Institute of Technology. student.
Blekinge Institute of Technology. student.
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.ORCID iD: 0000-0002-9316-4842
2023 (English)In: 35th Annual Workshop of the Swedish Artificial Intelligence Society SAIS 2023 / [ed] Håkan Grahn, Anton Borg and Martin Boldt, Linköping University Electronic Press, 2023, p. 49-57Conference paper, Published paper (Refereed)
Abstract [en]

The one-pixel attack is an image attack method for creating adversarial instances with minimal perturbations, i.e., pixel modification. The attack method makes the adversarial instances difficult to detect as it only manipulates a single pixel in the image. In this paper, we study four different defense approaches against adversarial attacks, and more specifically the one-pixel attack, over three different models. The defense methods used are: data augmentation, spatial smoothing, and Gaussian data augmentation used during both training and testing. The empirical experiments involve the following three models: all convolutional network (CNN), network in network (NiN), and the convolutional neural network VGG16. Experiments were executed and the results show that Gaussian data augmentation performs quite poorly when applied during the prediction phase. When used during the training phase, we see a reduction in the number of instances that could be perturbed by the NiN model. However, the CNN model shows an overall significantly worse performance compared to no defense technique. Spatial smoothing shows an ability to reduce the effectiveness of the one-pixel attack, and it is on average able to defend against half of the adversarial examples. Data augmentation also shows promising results, reducing the number of successfully perturbed images for both the CNN and NiN models. However, data augmentation leads to slightly worse overall model performance for the NiN and VGG16 models. Interestingly, it significantly improves the performance for the CNN model. We conclude that the most suitable defense is dependent on the model used. For the CNN model, our results indicate that a combination of data augmentation and spatial smoothing is a suitable defense setup. For the NiN and VGG16 models, a combination of Gaussian data augmentation together with spatial smoothing is more promising. Finally, the experiments indicate that applying Gaussian noise during the prediction phase is not a workable defense against the one-pixel attack. ©2023, Copyright held by the authors   

Place, publisher, year, edition, pages
Linköping University Electronic Press, 2023. p. 49-57
Series
Linköping Electronic Conference Proceedings, ISSN 1650-3686, E-ISSN 1650-3740
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-25418DOI: 10.3384/ecp199005ISBN: 9789180752749 (electronic)OAI: oai:DiVA.org:bth-25418DiVA, id: diva2:1800649
Conference
The 35th Swedish Artificial Intelligence Society (SAIS'23) annual workshop, Karlskrona, 12-13 June 2023
Available from: 2023-09-27 Created: 2023-09-27 Last updated: 2023-09-27Bibliographically approved

Open Access in DiVA

fulltext(454 kB)39 downloads
File information
File name FULLTEXT01.pdfFile size 454 kBChecksum SHA-512
60a023067dcd1ea93795da4ffdf9e93d0ffd486a1f0c08b7bc5c97ddf5566e56d3cc1056a231f48b487d1e3981edc5f7a903e7479a5c06584c7446c1a28a33c5
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Authority records

Boldt, Martin

Search in DiVA

By author/editor
Boldt, Martin
By organisation
Blekinge Institute of TechnologyDepartment of Computer Science
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 39 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 291 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf