TY - GEN
T1 - Feature Extraction Based on Denoising Auto Encoder for Classification of Adversarial Examples
AU - Yamasaki, Yuma
AU - Kuribayashi, Minoru
AU - Funabiki, Nobuo
AU - Nguyen, Huy H.
AU - Echizen, Isao
N1 - Funding Information:
This research was supported by JSPS KAKENHI Grant Number 19K22846, JST SICORP Grant Number JP-MJSC20C3, and JST CREST Grant Number JPMJCR20D3, Japan.
Publisher Copyright:
© 2021 APSIPA.
PY - 2021
Y1 - 2021
N2 - Adversarial examples have been recognized as one of the threats to machine learning techniques. Tiny perturbations are added to multimedia content to cause a misclassification in a target CNN - based model. In conventional studies, such perturbations are removed using a couple of filters, and for classification, the features are extracted from the observations of the output of the CNN-based model. However, the use of well-known filters may enable an attacker to adjust an adversarial attack to deal with such filters and fool the detector. In this study, we investigated the effectiveness of certain auto encoders (AEs) in extracting the traces of perturbations. Even if the structure of the AE is leaked, the difference in the training datasets makes an adjustment of the attack difficult to achieve. The effectiveness of the AE designed in this study was evaluated experimentally, and its combination with some known filters was also evaluated.
AB - Adversarial examples have been recognized as one of the threats to machine learning techniques. Tiny perturbations are added to multimedia content to cause a misclassification in a target CNN - based model. In conventional studies, such perturbations are removed using a couple of filters, and for classification, the features are extracted from the observations of the output of the CNN-based model. However, the use of well-known filters may enable an attacker to adjust an adversarial attack to deal with such filters and fool the detector. In this study, we investigated the effectiveness of certain auto encoders (AEs) in extracting the traces of perturbations. Even if the structure of the AE is leaked, the difference in the training datasets makes an adjustment of the attack difficult to achieve. The effectiveness of the AE designed in this study was evaluated experimentally, and its combination with some known filters was also evaluated.
UR - http://www.scopus.com/inward/record.url?scp=85126713336&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85126713336&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85126713336
T3 - 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2021 - Proceedings
SP - 1815
EP - 1820
BT - 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2021 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference, APSIPA ASC 2021
Y2 - 14 December 2021 through 17 December 2021
ER -