Similar articles

Abstract: low-rank matrix decomposition with first-order total variation (TV) regularization exhibits excellent performance in exploration of image structure. Taking advantage of its excellent performance in image denoising, we apply it to improve the robustness of deep neural networks. However, although TV regularization can improve the robustness of the model, it reduces the accuracy of normal samples due to its over-smoothing. In our work, we develop a new low-rank matrix recovery model, called LRTGV, which incorporates total generalized variation (TGV) regularization into the reweighted low-rank matrix recovery model. In the proposed model, TGV is used to better reconstruct texture information without over-smoothing. The reweighted nuclear norm and L₁-norm can enhance the global structure information. Thus, the proposed LRTGV can destroy the structure of adversarial noise while re-enhancing the global structure and local texture of the image. To solve the challenging optimal model issue, we propose an algorithm based on the alternating direction method of multipliers. Experimental results show that the proposed algorithm has a certain defense capability against black-box attacks, and outperforms state-of-the-art low-rank matrix recovery methods in image restoration.

基于广义全变分低秩矩阵恢复的对抗样本防御

[1]Bredies K, Kunisch K, Pock T, 2010. Total generalized variation. SIAM J Imag Sci, 3(3):492-526.

[2]Buckman J, Roy A, Raffel C, et al., 2018. Thermometer encoding: one hot way to resist adversarial examples. 6^th Int Conf on Learning Representations.

[3]Candès EJ, Wakin MB, Boyd SP, 2008. Enhancing sparsity by reweighted l₁ minimization. J Fourier Anal Appl, 14(5-6):877-905.

[4]Candès EJ, Li XD, Ma Y, et al., 2011. Robust principal component analysis? J ACM, 58(3):11.

[5]Cao FL, Cai MM, Tan YP, 2015. Image interpolation via low-rank matrix completion and recovery. IEEE Trans Circ Syst Video Technol, 25(8):1261-1270.

[6]Carlini N, Wagner D, 2017. Towards evaluating the robustness of neural networks. IEEE Symp on Security and Privacy, p.39-57.

[7]Deng Y, Dai QH, Liu RS, et al., 2013. Low-rank structure learning via nonconvex heuristic recovery. IEEE Trans Neur Netw Learn Syst, 24(3):383-396.

[8]Dong WS, Zhang L, Shi GM, et al., 2013. Nonlocally centralized sparse representation for image restoration. IEEE Trans Image Process, 22(4):1620-1630.

[9]Dong XY, Han JF, Chen DD, et al., 2020. Robust superpixel-guided attentional adversarial attack. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.12892-12901.

[10]Dong YP, Liao FZ, Pang TY, et al., 2018. Boosting adversarial attacks with momentum. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.9185-9193.

[11]Efros AA, Freeman WT, 2001. Image quilting for texture synthesis and transfer. Proc 28^th Annual Conf on Computer Graphics and Interactive Techniques, p.341-346.

[12]Goodfellow IJ, Shlens J, Szegedy C, 2015. Explaining and harnessing adversarial examples. https://arxiv.org/abs/1412.6572

[13]Gu SH, Xie Q, Meng DY, et al., 2017. Weighted nuclear norm minimization and its applications to low level vision. Int J Comput Vis, 121(2):183-208.

[14]Guo C, Rana M, Cisse M, et al., 2018. Countering adversarial images using input transformations. https://arxiv.org/abs/1711.00117

[15]Guo WH, Qin J, Yin WT, 2014. A new detail-preserving regularization scheme. SIAM J Imag Sci, 7(2):1309-1334.

[16]Guo XJ, Lin ZC, 2018. Low-rank matrix recovery via robust outlier estimation. IEEE Trans Image Process, 27(11):5316-5327.

[17]Jing PG, Su YT, Nie LQ, et al., 2019. A framework of joint low-rank and sparse regression for image memorability prediction. IEEE Trans Circ Syst Video Technol, 29(5):1296-1309.

[18]Moosavi-Dezfooli SM, Fawzi A, Frossard P, 2016. DeepFool: a simple and accurate method to fool deep neural networks. IEEE Conf on Computer Vision and Pattern Recognition, p.2574-2582.

[19]Mustafa A, Khan SH, Hayat M, et al., 2020. Image super-resolution as a defense against adversarial attacks. IEEE Trans Image Process, 29:1711-1724.

[20]Papafitsoros K, Schönlieb CB, 2014. A combined first and second order variational approach for image reconstruction. J Math Imag Vis, 48(2):308-338.

[21]Peng YG, Suo JL, Dai QH, et al., 2014. Reweighted low-rank matrix recovery and its application in image restoration. IEEE Trans Cybern, 44(12):2418-2430.

[22]Song Y, Kim T, Nowozin S, et al., 2018. PixelDefend: leveraging generative models to understand and defend against adversarial examples. https://arxiv.org/abs/1710.10766

[23]Tabacof P, Valle E, 2016. Exploring the space of adversarial images. Int Joint Conf on Neural Networks, p.426-433.

[24]Wang HY, Cen YG, He ZQ, et al., 2018. Reweighted low-rank matrix analysis with structural smoothness for image denoising. IEEE Trans Image Process, 27(4):1777-1792.

[25]Wang Q, Wu ZJ, Jin J, et al., 2018. Low rank constraint and spatial spectral total variation for hyperspectral image mixed denoising. Signal Process, 142:11-26.

[26]Wang YL, Wu KL, Zhang CS, 2020. Adversarial attacks on deep unfolded networks for sparse coding. IEEE Int Conf on Acoustics, Speech and Signal Processing, p.5974-5978.

[27]Wen JM, Li DF, Zhu FM, 2015. Stable recovery of sparse signals via l_p-minimization. Appl Comput Harmon Anal, 38(1):161-176.

[28]Wu HC, Xiao L, Lian ZC, et al., 2019. Locally low-rank regularized video stabilization with motion diversity constraints. IEEE Trans Circ Syst Video Technol, 29(10):2873-2887.

[29]Xie CH, Zhang ZS, Zhou YY, et al., 2019. Improving transferability of adversarial examples with input diversity. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.2725-2734.

[30]Xie T, Li ST, Sun B, 2020. Hyperspectral images denoising via nonconvex regularized low-rank and sparse matrix decomposition. IEEE Trans Image Process, 29:44-56.

[31]Xu J, Li YM, Jiang Y, et al., 2020. Adversarial defense via local flatness regularization. IEEE Int Conf on Image Processing, p.2196-2200.

[32]Xu WL, Evans D, Qi YJ, 2017. Feature squeezing: detecting adversarial examples in deep neural networks. https://arxiv.org/abs/1704.01155

[33]Yang S, Luo B, Li CL, et al., 2018. Fast grayscale-thermal foreground detection with collaborative low-rank decomposition. IEEE Trans Circ Syst Video Technol, 28(10):2574-2585.

[34]Yuan XY, He P, Zhu QL, et al., 2019. Adversarial examples: attacks and defenses for deep learning. IEEE Trans Neur Netw Learn Syst, 30(9):2805-2824.

[35]Zhan SH, Wu JG, Han N, et al., 2020. Group low-rank representation-based discriminant linear regression. IEEE Trans Circ Syst Video Technol, 30(3):760-770.

[36]Zhang YC, Li HR, Zheng Y, et al., 2021. Enhanced DNNs for malware classification with GAN-based adversarial training. J Comput Virol Hack Tech, 17(2):153-163.

[37]Zhao ZQ, Wang HY, Sun H, et al., 2021. Removing adversarial noise via low-rank completion of high-sensitivity points. IEEE Trans Image Process, 30:6485-6497.