JZUS - Journal of Zhejiang University SCIENCE

Frontiers of Information Technology & Electronic Engineering

Accepted manuscript available online (unedited version)

Low-rank matrix recovery with total generalized variation for defending adversarial examples

Author(s): Wen LI, Hengyou WANG, Lianzhi HUO, Qiang HE, Linlin CHEN, Zhiquan HE, Wing W. Y. Ng
Affiliation(s): School of Science, Beijing University of Civil Engineering and Architecture, Beijing 100044, China; more
Corresponding email(s): wanghengyou@bucea.edu.cn
Key Words: Total generalized variation; Low-rank matrix; Alternating direction method of multipliers; Adversarial example

Share this article to： More <<< Previous Paper \|Next Paper >>>

Wen LI, Hengyou WANG, Lianzhi HUO, Qiang HE, Linlin CHEN, Zhiquan HE, Wing W. Y. Ng. Low-rank matrix recovery with total generalized variation for defending adversarial examples[J]. Frontiers of Information Technology & Electronic Engineering,in press.https://doi.org/10.1631/FITEE.2300017

@article{title="Low-rank matrix recovery with total generalized variation for defending adversarial examples",
author="Wen LI, Hengyou WANG, Lianzhi HUO, Qiang HE, Linlin CHEN, Zhiquan HE, Wing W. Y. Ng",
journal="Frontiers of Information Technology & Electronic Engineering",
year="in press",
publisher="Zhejiang University Press & Springer",
doi="https://doi.org/10.1631/FITEE.2300017"
}

%0 Journal Article
%T Low-rank matrix recovery with total generalized variation for defending adversarial examples
%A Wen LI
%A Hengyou WANG
%A Lianzhi HUO
%A Qiang HE
%A Linlin CHEN
%A Zhiquan HE
%A Wing W. Y. Ng
%J Frontiers of Information Technology & Electronic Engineering
%P 432-445
%@ 2095-9184
%D in press
%I Zhejiang University Press & Springer
doi="https://doi.org/10.1631/FITEE.2300017"

TY - JOUR
T1 - Low-rank matrix recovery with total generalized variation for defending adversarial examples
A1 - Wen LI
A1 - Hengyou WANG
A1 - Lianzhi HUO
A1 - Qiang HE
A1 - Linlin CHEN
A1 - Zhiquan HE
A1 - Wing W. Y. Ng
J0 - Frontiers of Information Technology & Electronic Engineering
SP - 432
EP - 445
%@ 2095-9184
Y1 - in press
PB - Zhejiang University Press & Springer
ER -
doi="https://doi.org/10.1631/FITEE.2300017"

Abstract
Chinese Summary
Academic Network
Reviewer Comment

Abstract: Low-rank matrix decomposition with first-order total variation (TV) regularization exhibits excellent performance in exploration of image structure. Taking advantage of its excellent performance in image denoising, we apply it to improve the robustness of deep neural networks. However, although TV regularization can improve the robustness of the model, it reduces the accuracy of normal samples due to its over-smoothing. In our work, we develop a new low-rank matrix recovery model, called LRTGV, which incorporates total generalized variation (TGV) regularization into the reweighted low-rank matrix recovery model. In the proposed model, TGV is used to better reconstruct texture information without over-smoothing. The reweighted nuclear norm and L₁-norm can enhance the global structure information. Thus, the proposed LRTGV can destroy the structure of adversarial noise while re-enhancing the global structure and local texture of the image. To solve the challenging optimal model issue, we propose an algorithm based on the alternating direction method of multipliers. Experimental results show that the proposed algorithm has a certain defense capability against black-box attacks, and outperforms state-of-the-art low-rank matrix recovery methods in image restoration.

基于广义全变分低秩矩阵恢复的对抗样本防御

李文^1,2，王恒友^1,5，霍连志³，何强^1,5，陈琳琳^1,5，何志权⁴，吴永贤²
¹北京建筑大学理学院，中国北京市，100044
²华南理工大学计算机科学与工程学院，中国广州市，510006
³中国科学院空天信息研究所，中国北京市，100094
⁴广东省智能信息处理重点实验室,，中国深圳市，518060
⁵北京建筑大学大数据建模与技术研究所，中国北京市，100044
摘要：一阶全变分（TV）正则化的低秩矩阵分解在恢复图像结构上表现出优异性能。利用全变分在图像去噪方面的优异性能，提高深度神经网络鲁棒性。然而，尽管一阶全变分正则化可以提高模型鲁棒性，但其过度平滑降低了干净样本的准确率。本文提出一种新的低秩矩阵恢复模型，称为LRTGV，该模型将广义全变分（TGV）正则化引入到重加权低秩矩阵恢复模型。在所构建的模型中，TGV可以在不过度平滑的情况下更好地重建图像纹理信息。重加权核范数和L₁范数可以增强全局结构信息。因此，本文所提出的LRTGV模型在破坏对抗噪声结构的同时能增强图像全局结构和局部纹理信息。为解决具有挑战性的最优模型问题，本文提出一种基于交替方向乘子法的算法。实验结果表明，该算法对黑盒攻击具有一定防御能力，并且在图像恢复方面优于现有低秩矩阵恢复方法。

关键词组：广义全变分；低秩矩阵；交替方向乘子法；对抗样本

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Bredies K, Kunisch K, Pock T, 2010. Total generalized variation. SIAM J Imag Sci, 3(3):492-526.

[2]Buckman J, Roy A, Raffel C, et al., 2018. Thermometer encoding: one hot way to resist adversarial examples. 6^th Int Conf on Learning Representations.

[3]Candès EJ, Wakin MB, Boyd SP, 2008. Enhancing sparsity by reweighted l₁ minimization. J Fourier Anal Appl, 14(5-6):877-905.

[4]Candès EJ, Li XD, Ma Y, et al., 2011. Robust principal component analysis? J ACM, 58(3):11.

[5]Cao FL, Cai MM, Tan YP, 2015. Image interpolation via low-rank matrix completion and recovery. IEEE Trans Circ Syst Video Technol, 25(8):1261-1270.

[6]Carlini N, Wagner D, 2017. Towards evaluating the robustness of neural networks. IEEE Symp on Security and Privacy, p.39-57.

[7]Deng Y, Dai QH, Liu RS, et al., 2013. Low-rank structure learning via nonconvex heuristic recovery. IEEE Trans Neur Netw Learn Syst, 24(3):383-396.

[8]Dong WS, Zhang L, Shi GM, et al., 2013. Nonlocally centralized sparse representation for image restoration. IEEE Trans Image Process, 22(4):1620-1630.

[9]Dong XY, Han JF, Chen DD, et al., 2020. Robust superpixel-guided attentional adversarial attack. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.12892-12901.

[10]Dong YP, Liao FZ, Pang TY, et al., 2018. Boosting adversarial attacks with momentum. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.9185-9193.

[11]Efros AA, Freeman WT, 2001. Image quilting for texture synthesis and transfer. Proc 28^th Annual Conf on Computer Graphics and Interactive Techniques, p.341-346.

[12]Goodfellow IJ, Shlens J, Szegedy C, 2015. Explaining and harnessing adversarial examples. https://arxiv.org/abs/1412.6572

[13]Gu SH, Xie Q, Meng DY, et al., 2017. Weighted nuclear norm minimization and its applications to low level vision. Int J Comput Vis, 121(2):183-208.

[14]Guo C, Rana M, Cisse M, et al., 2018. Countering adversarial images using input transformations. https://arxiv.org/abs/1711.00117

[15]Guo WH, Qin J, Yin WT, 2014. A new detail-preserving regularization scheme. SIAM J Imag Sci, 7(2):1309-1334.

[16]Guo XJ, Lin ZC, 2018. Low-rank matrix recovery via robust outlier estimation. IEEE Trans Image Process, 27(11):5316-5327.

[17]Jing PG, Su YT, Nie LQ, et al., 2019. A framework of joint low-rank and sparse regression for image memorability prediction. IEEE Trans Circ Syst Video Technol, 29(5):1296-1309.

[18]Moosavi-Dezfooli SM, Fawzi A, Frossard P, 2016. DeepFool: a simple and accurate method to fool deep neural networks. IEEE Conf on Computer Vision and Pattern Recognition, p.2574-2582.

[19]Mustafa A, Khan SH, Hayat M, et al., 2020. Image super-resolution as a defense against adversarial attacks. IEEE Trans Image Process, 29:1711-1724.

[20]Papafitsoros K, Schönlieb CB, 2014. A combined first and second order variational approach for image reconstruction. J Math Imag Vis, 48(2):308-338.

[21]Peng YG, Suo JL, Dai QH, et al., 2014. Reweighted low-rank matrix recovery and its application in image restoration. IEEE Trans Cybern, 44(12):2418-2430.

[22]Song Y, Kim T, Nowozin S, et al., 2018. PixelDefend: leveraging generative models to understand and defend against adversarial examples. https://arxiv.org/abs/1710.10766

[23]Tabacof P, Valle E, 2016. Exploring the space of adversarial images. Int Joint Conf on Neural Networks, p.426-433.

[24]Wang HY, Cen YG, He ZQ, et al., 2018. Reweighted low-rank matrix analysis with structural smoothness for image denoising. IEEE Trans Image Process, 27(4):1777-1792.

[25]Wang Q, Wu ZJ, Jin J, et al., 2018. Low rank constraint and spatial spectral total variation for hyperspectral image mixed denoising. Signal Process, 142:11-26.

[26]Wang YL, Wu KL, Zhang CS, 2020. Adversarial attacks on deep unfolded networks for sparse coding. IEEE Int Conf on Acoustics, Speech and Signal Processing, p.5974-5978.

[27]Wen JM, Li DF, Zhu FM, 2015. Stable recovery of sparse signals via l_p-minimization. Appl Comput Harmon Anal, 38(1):161-176.

[28]Wu HC, Xiao L, Lian ZC, et al., 2019. Locally low-rank regularized video stabilization with motion diversity constraints. IEEE Trans Circ Syst Video Technol, 29(10):2873-2887.

[29]Xie CH, Zhang ZS, Zhou YY, et al., 2019. Improving transferability of adversarial examples with input diversity. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.2725-2734.

[30]Xie T, Li ST, Sun B, 2020. Hyperspectral images denoising via nonconvex regularized low-rank and sparse matrix decomposition. IEEE Trans Image Process, 29:44-56.

[31]Xu J, Li YM, Jiang Y, et al., 2020. Adversarial defense via local flatness regularization. IEEE Int Conf on Image Processing, p.2196-2200.

[32]Xu WL, Evans D, Qi YJ, 2017. Feature squeezing: detecting adversarial examples in deep neural networks. https://arxiv.org/abs/1704.01155

[33]Yang S, Luo B, Li CL, et al., 2018. Fast grayscale-thermal foreground detection with collaborative low-rank decomposition. IEEE Trans Circ Syst Video Technol, 28(10):2574-2585.

[34]Yuan XY, He P, Zhu QL, et al., 2019. Adversarial examples: attacks and defenses for deep learning. IEEE Trans Neur Netw Learn Syst, 30(9):2805-2824.

[35]Zhan SH, Wu JG, Han N, et al., 2020. Group low-rank representation-based discriminant linear regression. IEEE Trans Circ Syst Video Technol, 30(3):760-770.

[36]Zhang YC, Li HR, Zheng Y, et al., 2021. Enhanced DNNs for malware classification with GAN-based adversarial training. J Comput Virol Hack Tech, 17(2):153-163.

[37]Zhao ZQ, Wang HY, Sun H, et al., 2021. Removing adversarial noise via low-rank completion of high-sensitivity points. IEEE Trans Image Process, 30:6485-6497.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

- Go to

基于广义全变分低秩矩阵恢复的对抗样本防御

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference