Novel defense based on softmax activation transformation
Deep learning is widely used in various fields such as image processing, natural language processing, network mining and so on.However, it is vulnerable to malicious adversarial attacks and many defensive methods have been proposed accordingly.Most defense methods are attack-dependent and require de...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2022-04-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022016 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841529812727889920 |
|---|---|
| author | Jinyin CHEN Changan WU Haibin ZHENG |
| author_facet | Jinyin CHEN Changan WU Haibin ZHENG |
| author_sort | Jinyin CHEN |
| collection | DOAJ |
| description | Deep learning is widely used in various fields such as image processing, natural language processing, network mining and so on.However, it is vulnerable to malicious adversarial attacks and many defensive methods have been proposed accordingly.Most defense methods are attack-dependent and require defenders to generate massive adversarial examples in advance.The defense cost is high and it is difficult to resist black-box attacks.Some of these defenses even affect the recognition of normal examples.In addition, the current defense methods are mostly empirical, without certifiable theoretical support.Softmax activation transformation (SAT) was proposed in this paper, which was a light-weight and fast defense scheme against black-box attacks.SAT reactivates the output probability of the target model in the testing phase, and then it guarantees privacy of the probability information.As an attack-free defense, SAT not only avoids the burden of generating massive adversarial examples, but also realizes the advance defense of attacks.The activation of SAT is monotonic, so it will not affect the recognition of normal examples.During the activation process, a variable privacy protection transformation coefficient was designed to achieve dynamic defense.Above all, SAT is a certifiable defense that can derive the effectiveness and reliability of its defense based on softmax activation transformation.To evaluate the effectiveness of SAT, defense experiments against 9 attacks on MNIST, CIFAR10 and ImageNet datasets were conducted, and the average attack success rate was reduced from 87.06% to 5.94%. |
| format | Article |
| id | doaj-art-a3ae1ee7de3b48f692ca05ac8a3febcd |
| institution | Kabale University |
| issn | 2096-109X |
| language | English |
| publishDate | 2022-04-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj-art-a3ae1ee7de3b48f692ca05ac8a3febcd2025-01-15T03:15:28ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2022-04-018486359570316Novel defense based on softmax activation transformationJinyin CHENChangan WUHaibin ZHENGDeep learning is widely used in various fields such as image processing, natural language processing, network mining and so on.However, it is vulnerable to malicious adversarial attacks and many defensive methods have been proposed accordingly.Most defense methods are attack-dependent and require defenders to generate massive adversarial examples in advance.The defense cost is high and it is difficult to resist black-box attacks.Some of these defenses even affect the recognition of normal examples.In addition, the current defense methods are mostly empirical, without certifiable theoretical support.Softmax activation transformation (SAT) was proposed in this paper, which was a light-weight and fast defense scheme against black-box attacks.SAT reactivates the output probability of the target model in the testing phase, and then it guarantees privacy of the probability information.As an attack-free defense, SAT not only avoids the burden of generating massive adversarial examples, but also realizes the advance defense of attacks.The activation of SAT is monotonic, so it will not affect the recognition of normal examples.During the activation process, a variable privacy protection transformation coefficient was designed to achieve dynamic defense.Above all, SAT is a certifiable defense that can derive the effectiveness and reliability of its defense based on softmax activation transformation.To evaluate the effectiveness of SAT, defense experiments against 9 attacks on MNIST, CIFAR10 and ImageNet datasets were conducted, and the average attack success rate was reduced from 87.06% to 5.94%.http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022016deep learningadversarial defensecertifiableattack-free |
| spellingShingle | Jinyin CHEN Changan WU Haibin ZHENG Novel defense based on softmax activation transformation 网络与信息安全学报 deep learning adversarial defense certifiable attack-free |
| title | Novel defense based on softmax activation transformation |
| title_full | Novel defense based on softmax activation transformation |
| title_fullStr | Novel defense based on softmax activation transformation |
| title_full_unstemmed | Novel defense based on softmax activation transformation |
| title_short | Novel defense based on softmax activation transformation |
| title_sort | novel defense based on softmax activation transformation |
| topic | deep learning adversarial defense certifiable attack-free |
| url | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2022016 |
| work_keys_str_mv | AT jinyinchen noveldefensebasedonsoftmaxactivationtransformation AT changanwu noveldefensebasedonsoftmaxactivationtransformation AT haibinzheng noveldefensebasedonsoftmaxactivationtransformation |