Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks

Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN's decision can be easily misguided by adversarial examples-the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the eve...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transaction on neural networks and learning systems 2023-01, Vol.34 (1), p.3-14
Main Authors: Liu, Qi, Wen, Wujie
Format: Article
Language:English
Subjects:
Adversarial defense
adversarial examples
Artificial neural networks
Classifiers
Compression
Computational modeling
deep neural network (DNN)
Defense
Iterative methods
model compression
Neural networks
Optimization
Perturbation
Perturbation methods
Robustness
Security
Training
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163
cites cdi_FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163
container_end_page 14
container_issue 1
container_start_page 3
container_title IEEE transaction on neural networks and learning systems
container_volume 34
creator Liu, Qi
Wen, Wujie
description Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN's decision can be easily misguided by adversarial examples-the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the ever-increasing security concerns for DNN-based systems. Unfortunately, current defense techniques face the following issues: 1) they are usually unable to mitigate all types of attacks, given that diversified attacks, which may occur in practical scenarios, have different natures and 2) most of them are subject to considerable implementation cost such as complete retraining. This prompts an urgent need of developing a comprehensive defense framework with low deployment costs. In this work, we reveal that "defensive decision boundary" and "small gradient" are two critical conditions to ease the effectiveness of adversarial examples with different properties. We propose to wisely use "hash compression" to reconstruct a low-cost "defensive hash classifier" to form the first line of our defense. We then propose a set of retraining-free "gradient inhibition" (GI) methods to extremely suppress and randomize the gradient used to craft adversarial examples. Finally, we develop a comprehensive defense framework by orchestrating "defensive hash classifier" and "GI." We evaluate our defense across traditional white-box, strong adaptive white-box, and black-box settings. Extensive studies show that our solution can enormously decrease the attack success rate of various adversarial attacks on the diverse dataset.
doi_str_mv 10.1109/TNNLS.2021.3089128
format article
fullrecord <record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_ieee_primary_9466420</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9466420</ieee_id><sourcerecordid>2546601743</sourcerecordid><originalsourceid>FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163</originalsourceid><addsrcrecordid>eNpdkU9rGzEQxUVpaULiL9BCEfTSix2NpNVKvRk3_8BxAnWhN1W7OwubrFcbadch3z5K7PhQXeYN83vDoEfIF2AzAGbO1qvV8veMMw4zwbQBrj-QYw6KT7nQ-uNB53-PyCTGe5aeYpmS5jM5EhI0ZJk4Jv9ufIUtXfhNHzDGxnf0yoUKu0h_IfZ0hWNwbSrDkw8P8SedJ_1E7zDEHsuh2SIdPL0LuMVuoPNqmwYuNMkyHwZXPsRT8ql2bcTJvp6QPxfn68XVdHl7eb2YL6elyGCY5nWutVAiNWAqUcjaaONUrpQxBmpnmDQFq1WpCq2lrEAmVbC8UqVEA0qckB-7vX3wjyPGwW6aWGLbug79GC3PpFIMcikS-v0_9N6PoUvXWZ4rEEoDY4niO6oMPsaAte1Ds3Hh2QKzrxHYtwjsawR2H0EyfduvHosNVgfL-4cn4OsOaBDxMDbpNsmZeAFcPoiK</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2761368100</pqid></control><display><type>article</type><title>Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks</title><source>IEEE Xplore (Online service)</source><creator>Liu, Qi ; Wen, Wujie</creator><creatorcontrib>Liu, Qi ; Wen, Wujie</creatorcontrib><description>Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN's decision can be easily misguided by adversarial examples-the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the ever-increasing security concerns for DNN-based systems. Unfortunately, current defense techniques face the following issues: 1) they are usually unable to mitigate all types of attacks, given that diversified attacks, which may occur in practical scenarios, have different natures and 2) most of them are subject to considerable implementation cost such as complete retraining. This prompts an urgent need of developing a comprehensive defense framework with low deployment costs. In this work, we reveal that "defensive decision boundary" and "small gradient" are two critical conditions to ease the effectiveness of adversarial examples with different properties. We propose to wisely use "hash compression" to reconstruct a low-cost "defensive hash classifier" to form the first line of our defense. We then propose a set of retraining-free "gradient inhibition" (GI) methods to extremely suppress and randomize the gradient used to craft adversarial examples. Finally, we develop a comprehensive defense framework by orchestrating "defensive hash classifier" and "GI." We evaluate our defense across traditional white-box, strong adaptive white-box, and black-box settings. Extensive studies show that our solution can enormously decrease the attack success rate of various adversarial attacks on the diverse dataset.</description><identifier>ISSN: 2162-237X</identifier><identifier>EISSN: 2162-2388</identifier><identifier>DOI: 10.1109/TNNLS.2021.3089128</identifier><identifier>PMID: 34181553</identifier><identifier>CODEN: ITNNAL</identifier><language>eng</language><publisher>United States: IEEE</publisher><subject>Adversarial defense ; adversarial examples ; Artificial neural networks ; Classifiers ; Compression ; Computational modeling ; deep neural network (DNN) ; Defense ; Iterative methods ; model compression ; Neural networks ; Optimization ; Perturbation ; Perturbation methods ; Robustness ; Security ; Training</subject><ispartof>IEEE transaction on neural networks and learning systems, 2023-01, Vol.34 (1), p.3-14</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163</citedby><cites>FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163</cites><orcidid>0000-0003-0011-0675</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9466420$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/34181553$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Liu, Qi</creatorcontrib><creatorcontrib>Wen, Wujie</creatorcontrib><title>Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks</title><title>IEEE transaction on neural networks and learning systems</title><addtitle>TNNLS</addtitle><addtitle>IEEE Trans Neural Netw Learn Syst</addtitle><description>Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN's decision can be easily misguided by adversarial examples-the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the ever-increasing security concerns for DNN-based systems. Unfortunately, current defense techniques face the following issues: 1) they are usually unable to mitigate all types of attacks, given that diversified attacks, which may occur in practical scenarios, have different natures and 2) most of them are subject to considerable implementation cost such as complete retraining. This prompts an urgent need of developing a comprehensive defense framework with low deployment costs. In this work, we reveal that "defensive decision boundary" and "small gradient" are two critical conditions to ease the effectiveness of adversarial examples with different properties. We propose to wisely use "hash compression" to reconstruct a low-cost "defensive hash classifier" to form the first line of our defense. We then propose a set of retraining-free "gradient inhibition" (GI) methods to extremely suppress and randomize the gradient used to craft adversarial examples. Finally, we develop a comprehensive defense framework by orchestrating "defensive hash classifier" and "GI." We evaluate our defense across traditional white-box, strong adaptive white-box, and black-box settings. Extensive studies show that our solution can enormously decrease the attack success rate of various adversarial attacks on the diverse dataset.</description><subject>Adversarial defense</subject><subject>adversarial examples</subject><subject>Artificial neural networks</subject><subject>Classifiers</subject><subject>Compression</subject><subject>Computational modeling</subject><subject>deep neural network (DNN)</subject><subject>Defense</subject><subject>Iterative methods</subject><subject>model compression</subject><subject>Neural networks</subject><subject>Optimization</subject><subject>Perturbation</subject><subject>Perturbation methods</subject><subject>Robustness</subject><subject>Security</subject><subject>Training</subject><issn>2162-237X</issn><issn>2162-2388</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><recordid>eNpdkU9rGzEQxUVpaULiL9BCEfTSix2NpNVKvRk3_8BxAnWhN1W7OwubrFcbadch3z5K7PhQXeYN83vDoEfIF2AzAGbO1qvV8veMMw4zwbQBrj-QYw6KT7nQ-uNB53-PyCTGe5aeYpmS5jM5EhI0ZJk4Jv9ufIUtXfhNHzDGxnf0yoUKu0h_IfZ0hWNwbSrDkw8P8SedJ_1E7zDEHsuh2SIdPL0LuMVuoPNqmwYuNMkyHwZXPsRT8ql2bcTJvp6QPxfn68XVdHl7eb2YL6elyGCY5nWutVAiNWAqUcjaaONUrpQxBmpnmDQFq1WpCq2lrEAmVbC8UqVEA0qckB-7vX3wjyPGwW6aWGLbug79GC3PpFIMcikS-v0_9N6PoUvXWZ4rEEoDY4niO6oMPsaAte1Ds3Hh2QKzrxHYtwjsawR2H0EyfduvHosNVgfL-4cn4OsOaBDxMDbpNsmZeAFcPoiK</recordid><startdate>202301</startdate><enddate>202301</enddate><creator>Liu, Qi</creator><creator>Wen, Wujie</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7QF</scope><scope>7QO</scope><scope>7QP</scope><scope>7QQ</scope><scope>7QR</scope><scope>7SC</scope><scope>7SE</scope><scope>7SP</scope><scope>7SR</scope><scope>7TA</scope><scope>7TB</scope><scope>7TK</scope><scope>7U5</scope><scope>8BQ</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>H8D</scope><scope>JG9</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>P64</scope><scope>7X8</scope><orcidid>https://orcid.org/0000-0003-0011-0675</orcidid></search><sort><creationdate>202301</creationdate><title>Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks</title><author>Liu, Qi ; Wen, Wujie</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Adversarial defense</topic><topic>adversarial examples</topic><topic>Artificial neural networks</topic><topic>Classifiers</topic><topic>Compression</topic><topic>Computational modeling</topic><topic>deep neural network (DNN)</topic><topic>Defense</topic><topic>Iterative methods</topic><topic>model compression</topic><topic>Neural networks</topic><topic>Optimization</topic><topic>Perturbation</topic><topic>Perturbation methods</topic><topic>Robustness</topic><topic>Security</topic><topic>Training</topic><toplevel>online_resources</toplevel><creatorcontrib>Liu, Qi</creatorcontrib><creatorcontrib>Wen, Wujie</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library Online</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>Aluminium Industry Abstracts</collection><collection>Biotechnology Research Abstracts</collection><collection>Calcium &amp; Calcified Tissue Abstracts</collection><collection>Ceramic Abstracts</collection><collection>Chemoreception Abstracts</collection><collection>Computer and Information Systems Abstracts</collection><collection>Corrosion Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Engineered Materials Abstracts</collection><collection>Materials Business File</collection><collection>Mechanical &amp; Transportation Engineering Abstracts</collection><collection>Neurosciences Abstracts</collection><collection>Solid State and Superconductivity Abstracts</collection><collection>METADEX</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology &amp; Engineering</collection><collection>Engineering Research Database</collection><collection>Aerospace Database</collection><collection>Materials Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Biotechnology and BioEngineering Abstracts</collection><collection>MEDLINE - Academic</collection><jtitle>IEEE transaction on neural networks and learning systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Liu, Qi</au><au>Wen, Wujie</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks</atitle><jtitle>IEEE transaction on neural networks and learning systems</jtitle><stitle>TNNLS</stitle><addtitle>IEEE Trans Neural Netw Learn Syst</addtitle><date>2023-01</date><risdate>2023</risdate><volume>34</volume><issue>1</issue><spage>3</spage><epage>14</epage><pages>3-14</pages><issn>2162-237X</issn><eissn>2162-2388</eissn><coden>ITNNAL</coden><abstract>Deep neural networks (DNNs) have been demonstrating phenomenal success in many real-world applications. However, recent works show that DNN's decision can be easily misguided by adversarial examples-the input with imperceptible perturbations crafted by an ill-disposed adversary, causing the ever-increasing security concerns for DNN-based systems. Unfortunately, current defense techniques face the following issues: 1) they are usually unable to mitigate all types of attacks, given that diversified attacks, which may occur in practical scenarios, have different natures and 2) most of them are subject to considerable implementation cost such as complete retraining. This prompts an urgent need of developing a comprehensive defense framework with low deployment costs. In this work, we reveal that "defensive decision boundary" and "small gradient" are two critical conditions to ease the effectiveness of adversarial examples with different properties. We propose to wisely use "hash compression" to reconstruct a low-cost "defensive hash classifier" to form the first line of our defense. We then propose a set of retraining-free "gradient inhibition" (GI) methods to extremely suppress and randomize the gradient used to craft adversarial examples. Finally, we develop a comprehensive defense framework by orchestrating "defensive hash classifier" and "GI." We evaluate our defense across traditional white-box, strong adaptive white-box, and black-box settings. Extensive studies show that our solution can enormously decrease the attack success rate of various adversarial attacks on the diverse dataset.</abstract><cop>United States</cop><pub>IEEE</pub><pmid>34181553</pmid><doi>10.1109/TNNLS.2021.3089128</doi><tpages>12</tpages><orcidid>https://orcid.org/0000-0003-0011-0675</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 2162-237X
ispartof IEEE transaction on neural networks and learning systems, 2023-01, Vol.34 (1), p.3-14
issn 2162-237X
2162-2388
language eng
recordid cdi_ieee_primary_9466420
source IEEE Xplore (Online service)
subjects Adversarial defense
adversarial examples
Artificial neural networks
Classifiers
Compression
Computational modeling
deep neural network (DNN)
Defense
Iterative methods
model compression
Neural networks
Optimization
Perturbation
Perturbation methods
Robustness
Security
Training
title Model Compression Hardens Deep Neural Networks: A New Perspective to Prevent Adversarial Attacks
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T05%3A52%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Model%20Compression%20Hardens%20Deep%20Neural%20Networks:%20A%20New%20Perspective%20to%20Prevent%20Adversarial%20Attacks&rft.jtitle=IEEE%20transaction%20on%20neural%20networks%20and%20learning%20systems&rft.au=Liu,%20Qi&rft.date=2023-01&rft.volume=34&rft.issue=1&rft.spage=3&rft.epage=14&rft.pages=3-14&rft.issn=2162-237X&rft.eissn=2162-2388&rft.coden=ITNNAL&rft_id=info:doi/10.1109/TNNLS.2021.3089128&rft_dat=%3Cproquest_ieee_%3E2546601743%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c351t-7f78836335119d3b4f989a67669991fa9049b0f6c6b8844d14c6bb07d6c4e9163%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2761368100&rft_id=info:pmid/34181553&rft_ieee_id=9466420&rfr_iscdi=true