Image Defense Algorithm Against Adversarial Attacks Based on Low-Rank Dimensionality Reduction and Sparse Reconstruction

Xifan Zhang; Lingzhi Yu

doi:10.3788/LOP202259.1210004

Journals >Laser & Optoelectronics Progress >Volume 59 >Issue 12 >Page 1210004 > Article

Laser & Optoelectronics Progress
Vol. 59, Issue 12, 1210004 (2022)

Image Defense Algorithm Against Adversarial Attacks Based on Low-Rank Dimensionality Reduction and Sparse Reconstruction

Xifan Zhang^* and Lingzhi Yu

Author Affiliations

School of Electrical and Information Engineering, Tianjin University, Tianjin 300072, China

show less

DOI: 10.3788/LOP202259.1210004 Cite this Article Set citation alerts

Xifan Zhang, Lingzhi Yu. Image Defense Algorithm Against Adversarial Attacks Based on Low-Rank Dimensionality Reduction and Sparse Reconstruction[J]. Laser & Optoelectronics Progress, 2022, 59(12): 1210004 Copy Citation Text

show less

Fig. 1. Flow chart of proposed algorithm

Download full size

Fig. 2. Multi-scale reconstruction

Download full size

Fig. 3. Proposed defense algorithm

Download full size

Fig. 4. Defense effects of each algorithm

Download full size

Layer 1				Layer 2				Layer 3
$k$	$d$	$t$		$k$	$d$	$t$		$k$	$d$	$t$
1000	14	6		300	7	5		100	4	4

Table 1. Parameter settings for sparse coding

Attack algorithm	$Δ$	Proposed algorithm	JPEG	TVM	PDWD	ComDefend
FGSM	0.01	36.4/34.0	30.8/28.9	35.0/32.8	28.0/26.5	31.5/27.3
	0.02	34.2/32.3	27.0/18.0	34.6/30.0	26.1/19.0	27.0/20.1
	0.03	31.1/26.0	18.6/13.4	30.9/24.0	22.7/14.1	21.3/13.3
	0.04	29.2/21.9	15.4/12.0	28.7/21.5	17.1/10.4	16.4/11.7
	Average	32.7/28.6	23.0/19.6	32.3/27.1	23.5/17.5	24.1/18.1
BIM	0.01	38.1/43.5	37.4/32.7	40.0/41.0	35.0/35.5	37.4/31.2
	0.02	44.7/39.7	29.2/18.0	42.0/40.7	36.8/27.3	33.9/25.6
	0.03	46.9/35.8	19.6/10.9	43.9/32.6	30.7/15.0	26.3/16.9
	0.04	43.4/30.0	14.3/7.3	40.5/29.5	18.9/8.1	23.7/10.2
	Average	43.3/37.3	25.1/17.2	41.6/36.0	30.4/21.5	30.3/21.0
DeepFool	0.01	49.1/46.4	35.8/31.2	43.0/38.1	33.3/24.7	38.8/29.5
	0.02	43.1/33.4	23.0/17.9	40.9/30.6	26.4/18.9	31.1/21.6
	0.03	38.5/26.7	19.4/11.6	37.7/25.6	23.0/12.1	22.1/16.2
	0.04	32.9/20.8	15.4/7.5	18.9/14.1	16.3/8.6	16.6/11.0
	Average	40.9/31.8	23.4/17.1	35.1/27.1	24.8/16.1	27.1/19.6
Total average		39.0/32.6	23.8/18.0	36.3/30.1	26.2/18.4	27.2/19.6

Table 2. Top-1 classification accuracy of each defense algorithm

Attack algorithm	$Δ$	NMF	NMF+MSC	Variety
FGSM	0.01	31.4/32.0	36.4/34.0	5.0/2.0
	0.02	28.8/27.6	34.2/32.3	5.4/4.7
	0.03	28.6/21.3	31.1/26.0	2.5/4.7
	0.04	26.0/19.1	29.2/21.9	3.2/3.8
BIM	0.01	36.7/37.3	38.1/43.5	1.4/6.2
	0.02	39.3/33.9	44.7/39.7	5.4/5.8
	0.03	39.6/30.4	46.9/35.8	7.3/5.4
	0.04	37.1/23.3	43.4/30.0	6.3/6.7
DeepFool	0.01	41.2/36.9	49.1/46.4	7.9/9.5
	0.02	37.5/27.6	43.1/33.4	5.5/5.8
	0.03	31.9/22.0	38.5/26.7	6.6/4.7
	0.04	26.0/16.8	32.9/20.8	6.9/4.0

Table 3. Top-1 classification accuracy of NMF and NMF+MSC

Attack algorithm	$Δ$	Proposed algorithm	JPEG	TVM	PDWD	ComDefend
FGSM	0.01	-6.6	-6.2	-6.3	-5.4	-13.3
	0.02	-5.5	-33.3	-13.3	-27.2	-25.6
	0.03	-16.4	-28.0	-22.3	-37.9	-37.6
	0.04	-25.0	-22.1	-25.1	-39.2	-28.7
	Average	-12.5	-14.8	-16.1	-25.5	-24.9
BIM	0.01	14.2	-12.6	2.5	1.4	-16.6
	0.02	-11.2	-37.7	-3.1	-25.8	-24.5
	0.03	-24.3	-51.5	-25.7	-51.1	-35.7
	0.04	-30.9	-49.0	-27.2	-57.1	-57.0
	Average	-13.8	-31.5	-13.5	-29.3	-30.7
DeepFool	0.01	-5.5	-12.8	-12.0	-25.8	-23.9
	0.02	-22.5	-22.2	-25.2	-28.4	-30.5
	0.03	-30.6	-40.2	-32.1	-47.4	-26.7
	0.04	-36.7	-51.3	-25.4	47.2	-33.7
	Average	-22.2	-26.9	-22.8	-35.1	-27.7
Total average		-16.4	-24.4	-17.1	-29.8	-27.9

Table 4. Change rate of Top-1 classification accuracy after a black box attack is converted to a gray box attack

Model	FGSM	BIM	DeepFool	ICLM	C&W	Average
VGG19	30.1	38.2	33.0	40.1	31.6	34.6
ResNet101	34.9	44.8	41.2	43.7	39.4	40.8
Inception V3	35.4	43.1	42.9	42.8	41.7	41.2
Average	33.5	42.0	39.0	42.2	37.6	38.9

Table 5. Top-1 classification accuracy of proposed algorithm in extended experiments

Download Citation

Set citation alerts for the article

Tools

Set citation alerts for the article

Save the article for my favorites

Paper Information