Over the past several years, advances in deep neural networks (DNNs) have widely expanded the ability of what the machine can deal with. Especially, DNNs have achieved remarkable successes for image classification[8, 15] and it even went beyond human capability . With this performance, deep learning technology has started to be applied to various practical areas. However, some papers [18, 4, 1, 9, 10, 13, 3, 2] proved that even DNNs can be easily susceptible to small changes to input that is imperceptible to a human eye. According to these studies, carefully crafted perturbations to the vision-based applications can induce systems to behave in unexpected ways. Indeed, this is small enough to be inconspicuous, but some researches show that its influence might be more than expected since even state-of-the-art models got an almost zero-classification accuracy under .
Considering the deep learning models do not hesitate whenever judge the output, it might cause crucial accidents. For instance, Fig. 1
represents the adversarial examples in image classification task. Although all of the images can be seen as an ostrich by human visible intuition(someone may feel somewhat awkward), deep learning model outputs clearly different labels due to lack of such intuition. From a more theoretical perspective, misclassification could occur when the inputs are far from the decision boundary which decides to whether input is adversarial, but the existing classifier has no such intuition that can reject it. Now, the corner case of DNNs which have been alluded to adversarial attacks is getting pervasive and being more sophisticated. As a result, the vulnerability of adversarial attacks hinders its adoption for some safety-critical system and also security-sensitive application, including an autonomous-driving car [3, 16] since safety concerns can arise when there is a mismatch between what a model classifies and what we expect.
Since the advent of such adversarial attacks, many researchers or vendors have paid significant attention to adversarial examples. This is because they might not want to go through all that risk of their applications or models. They might as well choose to verify the robustness rather than take risks. However, the resistance against adversarial examples renders another challenge as no method can be a cure-all against adversarial attacks. To make up for corner cases of DNNs, several papers [4, 18, 12, 14, 17, 6, 11, 19] have proposed the defense mechanism against adversarial attacks to mitigate the potential of the risk by adversary. These defense mechanisms can be viewed as two approaches: (1) changing the model itself, which can improve the robustness by training with adversarial examples, e.g., adversarial training [4, 18], (2) preprocess the input image to diminish the effect of adversarial noise, mitigating the adversarial effects on the inputs , e.g., Magnet, Comdefend, PixelDefend, HGD, etc. [12, 6, 17, 11, 19].
However, (1) are designed to deal with specific adversarial attack strategies in mind, so generalization is likely to be restricted. It implies that the models using this method may be vulnerable to another attack optimized with it. In a similar vein, (2) require the well-trained data distribution for approximating or guiding adversarial examples closer to the manifold of legitimate samples. Model transferability thus might be hampered by these assumptions.
Since these assumptions are likely to be a temporary expedient, the universal defense approaches which can cover a myriad of risk should be explored.
Here, we propose a novel intuition for deep learning models, which can make the model universally robust. To the best of our knowledge, this is the first approach to explore defense in terms of the universal point of view. Our approach leverages the potential power of tensor decomposition to diminish the effect of adversarial noise by using the reconstructed images as an input of a deep learning model. The reconstructed inputs are fed into the classifier, and we empirically demonstrate that such simple pre-processing could be an effective countermeasure against the adversarial attack. To ensure that deep learning applications extend their potential of utilization toward other domains, it would be better to take into account the robustness of those applications. If you want to avoid cherry-picking doubt and make the model more general across a variety of risks including adversarial attacks, our insight would be an interesting candidate. Our contribution is as follows:
High Compatibility. Our approach leverages the tensor decomposition for preprocessing the inputs which might have been affected by the adversary. We do not assume anything, just use an input as reconstructed input by tensor decomposition method. In this point of view, tensor decomposition is relatively easy to utilize and easy to be applied to whatever the target model it is.
Efficient Engineering Complexity. Intuitively, tensor decomposition just depends on what the input it is. It does not need anything to be used. Therefore, we do not have to focus on how the model classifies the input since tensor decomposition is free from the model dependency. It means that re-training the model or augmenting the training data could no longer be required. It requires only processing time to reconstruct inputs.
Integrity of the inputs. When it comes to the reconstruction process, some information that in charge of the important role might be lost. Although state-of-the-art defense approaches[11, 6] have gotten remarkable performance, their proposed model degrades the performance against even the clean images. However, tensor decomposition could incur less adverse effects, and it is quite comparable with others.
Organization. We show an overall review of related work in Section 2. And we explain basic algorithm of adversarial attack in classification area and two tensor decomposition methods in Section 3. In section 4, we suggest our method that apply tensor decomposition method to adversarial attack scenario. In section 5, We summarized our experiment on MNIST, CIFAR10 and ImageNet data. And the conclusion is provided in Section 5.
2 Related work
Szegedy et al. found the existence of adversarial perturbation that breaks the image classifier thorough solving adversarial optimization problem [18, 4]. They show the model accuracy is dropped even though the perturbed image looks similar to human eyes. Goodfellow 
uses the sign of the gradient of input with respect to loss function of the victim model. This method is called Fast Gradient Sign Method (FGSM) since it updates input once. With the similar idea, uses FGSM in iterative way. Chen  leverages distortion to generate effective adversarial examples and improve the attack transferability. Carlini and Wagner  changes the optimization problem defined in  for achieving more powerful attack. 
measures the minimum size required for the attack. They approximate the decision boundary of the model and update input until the model misclassifies it. This attack has known as an one of the powerful strategy to DNNs, as it had shown that it can completely degrade the performance of the existing classifier and break the defensively distilled DNNs, e.g., defensive distillation. Moreover, [3, 16] demonstrated that adversarial attacks can be applied beyond the digital space, so security concerns could arise in even physical space such as autonomous-driving car.
To counter adversarial attacks, some works trained the model with adversarial examples to ensure that the model has a resilience against those adversarial examples, which have been called adversarial training. During the process of training, they generate adversarial for the training. Although it works, it depends on the particular adversarial data used in the training process. For instance,  shows their approach is robust in the simple attack, but not in a more sophisticated attack. In addition, it has engineering penalty since it requires retraining the model. If it takes longer to create an adversarial example, it will take more time to retrain the model. Instead of using the data augmentation, methods to change the model itself were also proposed . They change the objective function of the problem for obtaining the robustness. However, this approach also has to retrain the model, so it also boils down to increasing the engineering complexity. In recent years, several papers [12, 6, 17, 11, 19] preprocess the inputs before putting into the model. To guarantee the integrity of the model, all of them require well-trained data distribution to detect if the input is adversarial or approximate the manifold of legitimate samples. Our approach is similar to those approaches in terms of the preprocessing, yet differentiation is our method does not have any premises.
3.1 Adversarial Attack
Basically, all of the attacks use the gradient of data with respect to the loss function of the victim model. In this section, we briefly review the basic method of adversarial attack. The FGSM is proposed by . It is a simple and effective attack method. The image is perturbed as follows.
Where is a magnitude of noise and is a loss with respect to the true label of the image. It adjusts input X by adding a sign of the gradient of X. It increases the loss function of the victim model so that the model misjudges about the adjusted input. Since it updates input X once, it is also called single-step method. In addition, Adversaries can update the input in the direction they want. It decreases the loss of the victim model with respect to the target label set by the adversary.
If the input is modified enough, the model predicts the target which the adversary wants. In both cases, the have the role of the scale of the perturbation. We call the first method as untargeted FGSM and second method as targeted FGSM. The iterative FGSM is a repetitive version of FGSM. it is a more powerful attack method compared to the FGSM. It uses the following equations:
Where , is a step size for adjusting , and clip function ensures that for all . And we choose step number as ) if , otherwise . It is also called multi-step method. Here is the in the scale of 0 to 255 in the original paper. We use 0.25 for the . As the case of targeted FGSM, the adversary can modify the data in the way they want.
We denote this algorithm I-FGSM on this paper. Although theses attack methods were introduced in the context of image classification, the same method can be applied in the context of semantic segmentation task. We call the first method as an untargeted I-FGSM and second method as targeted I-FGSM.
3.2 Tensor Decomposition
A tensor is a multi dimensional array. For instance, the color image is a tensor consists of height, width, and the channel. A tensor decomposition methods decomposes a tensor into a crucial tensor. The CANDECOMP/PARAFC decomposition approximates a tensor as a sum of the outer product of the tensor belonging to each dimension. We refer this as a decomposition.
Let , for . Then is apporoximated as follows.
decomposition is another way to decompose a tensor. It is kind of higher order principal component analysis. It decomposes tensor as a core tensor and factor tensors as Fig. 3. Let be a tensor. Then Here and is called rank and it is a hyper-parameter in this problem. The best value of the rank is knows as
Let , for .
4.1 Tensor Decomposition as a preprocess
We use reconstructed image from tensor decomposition as a input of deep learning model. Since adversarial perturbation is so small to be invisible to human eye, we expect to such a small noise would be removed in the process of reducing dimension of the image. Fig. 4 tells our intuition is correct. After passing the process of tensor decomposition, adversarial noise are removed, and the figure of the noise is getting more similar to normal noise, i.e, gaussian noise.
We use CP decomposition and Tucker decomposition methods. As the quantity of information is greater, the quality of the reconstructed image gets better as shown in Fig. 5. However, since there is no straightforward algorithm for choosing the rank and the core tensor, we decide arbitrally considering effectiveness and computation time. For CP decomposition, we choose rank to use roughly 40% of the number of image pixels. Similarly, For Tucker decomposition, we choose the dimension of core tensor to use about 40 % of the number of image pixels. For instance, the size of the image is 32 by 32 in CIFAR10 dataset. In case of CP decomposition, the size of the three tensor in Fig. 2 will be 32,32 and 3. So we choose rank so that CP uses about 40% information of clean data. We use a similar argument when choosing the size of the core tensor of Tucker decomposition. Especially, we don’t compress the channel dimension in Tucker decomposition since we don’t want to lose color information. Thus, the size of the core tensor of the Tucker decomposition in the form of .
4.2 Denoise Autoencoder using reconstructed image
In addition to reconstruct the image from each tensor decomposition method, we use denoise autoencoder . We decompose the clean image via the tensor decomposition, and then reconstruct the image. And we put this reconstructed image into the autoencoder. The autoencoder is trained to restore the original image again. use this denote autoencoder asAE. The architecture of the autoencoder is as follows.
We use CIFAR-10 image for color image and MNIST for gray image. The learning rate was
and Adam optimizer is used. And we use mean square error (MSE) for loss function. For both model, we train autoencoder for 10 epoches.
4.3 Full architecture
First, we approximate the input image via the tensor decomposition method. No matter what kind of image it is, we decompose it since we don’t know Whether an image is normal or not. And then we pass the reconstructed image into denoise autoencoder. Fig. 6 shows the total flow of our proposed method. Note that our method does not depend on the classification model. So our method can be located in any classification model.
For the MNIST, CIFAR10 data, we test on the full test dataset. There are 10,000 images on MNIST dataset, and 50,000 images on CIFAR10 datset. For ImageNet, we select randomly 1,000 images as smilar setting . Since our proposed method decomposes the input whichever adversarial or clean data, we also tested on the clean dataset in addition to adversarial examples. We experiment on RTX-2080TI for all experiments.
We measure the top 1 accuracy on clean data, and adversarial data on each dataset. We use FGSM, BIM, Deepfool and Carlini attack methods. For FGSM, BIM and Deepfool attack, we use metric. And for Carlini Wanger attack, we use metric. And we calculate the ratio between the accuracy of clean and adversarial data for comparing the reduction of accuracy. Also, we measure the pre-processing time for calculating the additional time consuming for preprocessing the image.
In most cases, we achieve remarkably high accuracy against adversarial attacks. By using autoencoder, we get higher accuracy. In most cases, the CP is better than Tucker decomposition method. In some case of ImageNet dataset, Tucker decomposition method is better than CP. For instance, when attack with FGSM and Carlini method, the result was best by using Tucker decomposition. And in case of benign images, the accuracy reduction was about 1% on all datasets. The effectiveness of autoencoder is best on MNIST dataset. Although the autoencoder does not have much effect on clean data, it has a huge effect on various adversarial attacks on MNIST dataset. In addition to MNIST dataset, there have been small performance improvements for other datasets by using the denoise autoencoder. The numerical results are summarized on Table 2, 3 and 4.
5.4 time analysis
We measure the preprocessing time of each method. We pick randomly 1,000 images in MNIST,CIFAR-10, and ImageNet. And we measure the average processing time. In most case, The CP decomposition requires more time compared to Tucker decomposition. In case of MNIST and CIFAR-10, the time required to reconstruction is similar in both cases, the CP and the Tucker method. However, In case of ImageNet, the CP decomposition takes about 10 times more than the Tucker method. Table 5 summarizes a preprocess time of each dataset on each method.
|dataset||CP||CP+AE||Tucker||Tucker + AE|
We verify the tensor decomposition is a simple and powerful method for purifying of adversarial attack. When we combine denoise autoencoder with tensor decomposition method, the proposed method achieves higher accuracy against adversarial attack. Since there is no straightforward algorithm to choose the rank and the core tensor of the CP and Tucker decomposition, finding the best value is remaining for future work.
-  (2017) Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pp. 39–57. Cited by: §1, §2.
-  (2017) EAD: elastic-net attacks to deep neural networks via adversarial examples. ArXiv abs/1709.04114. Cited by: Figure 1, §1, §2.
Robust physical-world attacks on deep learning visual classification.
The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Cited by: §1, §1, §2.
-  (2014) Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572. Cited by: §1, §1, §2.
-  (2016) Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770–778. Cited by: §1.
-  (2019) Comdefend: an efficient image compression model to defend adversarial examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 6084–6092. Cited by: item 3, §1, §2, §5.1.
-  (2009) Tensor decompositions and applications. SIAM review 51 (3), pp. 455–500. Cited by: §3.2.
Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, pp. 1097–1105. Cited by: §1.
-  (2016) Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533. Cited by: §1, §2.
-  (2016) Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236. Cited by: §1, §2.
-  (2018-06) Defense against adversarial attacks using high-level representation guided denoiser. In The IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Cited by: item 3, §1, §2.
-  (2017) Magnet: a two-pronged defense against adversarial examples. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135–147. Cited by: §1, §1, §2.
-  (2016) Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2574–2582. Cited by: §1, §2.
-  (2016) Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE Symposium on Security and Privacy (SP), pp. 582–597. Cited by: §1, §2, §2.
-  (2013) Overfeat: integrated recognition, localization and detection using convolutional networks. arXiv preprint arXiv:1312.6229. Cited by: §1.
-  (2018) Darts: deceiving autonomous cars with toxic signs. arXiv preprint arXiv:1802.06430. Cited by: §1, §2.
-  (2017) Pixeldefend: leveraging generative models to understand and defend against adversarial examples. arXiv preprint arXiv:1710.10766. Cited by: §1, §2.
-  (2013) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199. Cited by: §1, §1, §2.
-  (2019) Feature denoising for improving adversarial robustness. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 501–509. Cited by: §1, §2.