TensorShield: Tensor-based Defense Against Adversarial Attacks on Images

02/18/2020 ∙ by Negin Entezari, et al. ∙ University of California, Riverside 0

Recent studies have demonstrated that machine learning approaches like deep neural networks (DNNs) are easily fooled by adversarial attacks. Subtle and imperceptible perturbations of the data are able to change the result of deep neural networks. Leveraging vulnerable machine learning methods raises many concerns especially in domains where security is an important factor. Therefore, it is crucial to design defense mechanisms against adversarial attacks. For the task of image classification, unnoticeable perturbations mostly occur in the high-frequency spectrum of the image. In this paper, we utilize tensor decomposition techniques as a preprocessing step to find a low-rank approximation of images which can significantly discard high-frequency perturbations. Recently a defense framework called Shield could "vaccinate" Convolutional Neural Networks (CNN) against adversarial examples by performing random-quality JPEG compressions on local patches of images on the ImageNet dataset. Our tensor-based defense mechanism outperforms the SLQ method from Shield by 14 maintaining comparable speed.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

In the last few year, Deep Neural Networks (DNNs) have been tremendously popular in a various domains including image processing and computer vision. However, recently, the robustness of DNNs has been questioned when facing adversarial inputs. The performance of DNNs can significantly drop even on slightly perturbed instances

(Szegedy et al., 2013). For the task of image classification, attackers put constraints on perturbations such that they remain unnoticeable to the human eye, but they are still able to greatly deteriorate the performance of the model.

Utilizing machine learning methods which are vulnerable to adversarial attacks in system where safety and security are critical factors may cause serious problems. Therefore, it is crucial to have a robust model against adversaries, especially in security-sensitive domains like autonomous driving and medical imaging. To address this concern, recent studies have conducted research to analyze vulnerability of deep learning methods in order to come up with defense techniques against the adversarial attacks

(Das et al., 2018; Bhagoji et al., 2017; Metzen et al., 2017; Papernot et al., 2016b).

To measure the strength of a perturbation, usually an or norm is used. Adversarial perturbations are mostly designed so that they have a small norm and are unnoticeable to human inspection. Designing a defense mechanism is a difficult task. Typically, the defender has only access to the perturbed instances (and definitely not the original ones, where there would be hope to identify which parts have been tampered with) and should be able to defend against different types of perturbations. Moreover, a defense mechanism which specialized on a particular kind of attack could be easily defeated by new attacks which are optimized against its strategy. Therefore, designing a defense technique which captures a universal pattern across various attacks is highly desirable, since this will able to defend against most of the adversarial attacks.

Shield proposed by Das et al. (Das et al., 2018), is a real-time defense framework which performs JPEG compression with random levels over local patches of images to eliminate unnoticeable perturbations which mostly appear in high frequency spectrum of images. In this paper, we propose a tensor decomposition approach to compute a low-rank approximation of images which significantly discards high-rank perturbations. However, Shield considers images in isolation and does not pay attention to the correlation of images when facing adversarial attacks.

Our contributions are as follows:

  • Defense through the lens of factorization: We propose a novel defense against adversarial attacks on images which utilizes tensor decomposition to reconstruct a low-approximation of perturbed images before feeding them to the deep network for classification. Without any retraining of the model, our method can significantly mitigate adversarial attacks.

  • Efficient and effective method: Representing images with tensor, allows processing images in batches as 4-mode tensor, which is able to capture latent structure of perturbations from multiple images rather than a single image which leads to more performance improvements.

The rest of this paper is organized as follows. In Section 2 we discuss related work. We introduce our proposed method in Section 3 and provide experimental results in Section 4. Finally, in section 5 we offer conclusions and discuss future works.

Figure 1. System Overview: low-rank tensor approximation of images to “vaccinate” the network against perturbations. (the term “vaccinate” was first used by Das et al. (Das et al., 2018) to refer to models equipped with a defense mechanism.)

2. Related Work

2.1. Adversarial Attacks

In this paper, we focus on defending against adversarial attacks on deep learning methods for the task of image classification. Here, we briefly outline some of the most popular adversarial attacks on images.

Given a classifier

, the goal of an adversarial attack is to modify an instance to a perturbed instance such that , while keeping the distance between perturbed and clean instance small. By we deonte some norm which is also used to express the strength of the perturbations. The popular choices are Euclidean distance ( norm) and Chebyshev distance ( norm). Here, we discuss some of the popular attacks, against which we evaluate our proposed method.

Fast Gradient Sign Method (FGSM)(Goodfellow et al., 2014): FGSM is a fast method to compute perturbations which is based on computing first-order gradients. FGSM generates adversarial images by introducing a perturbation as follows:


where is a user-defined threshold that determines the strength of the perturbations and controls the magnitude of perturbations per pixel. is the parameter of the model, is the true label of the instance , and is the cost of training the neural network.

Iterative Fast Gradient Sign Method (I-FGSM)(Kurakin et al., 2016): I-FGSM is the iterative version of the FGSM. In each iteration , I-FGSM clips the pixel values to remain within the neighborhood of the corresponding values from a “clean” instance :


Projected Gradient Descent (PGD)(Madry et al., 2017): PGD is one of the strongest gradient-based attacks (Madry et al., 2017) Given a clean image , PGD aims to find a small perturbation to generate the perturbed instance . PGD starts from a random perturbation and iteratively updates the perturbation:


where is a fixed step size. projects the perturbation onto set , set of allowed perturbation in the neighborhood the “clean” instance .

2.2. Defense Against Adversarial Attacks

Shield proposed by Das et al. (Das et al., 2018), uses image preprocessing as a defense mechanism to reduce the effect of perturbations. Shield is based on the observation that the attacks described above are high-frequency, thus, eliminating those high frequencies (which are not generally visible by the human eye) will sanitize the image. Shield performs Stochastic Local Quantization (SLQ) as a preprocessing step and subsequently employs JPEG compression with qualities 20, 40, 60, and 80 on the image, then for each block of the image, randomly selects from one of the compressed images. Shield also retrains the model on images compressed with different JPEG qualities and uses an ensemble of these models to defends against adversarial attacks.

In this paper, we preprocess images using tensor decomposition techniques to achieve a low-rank approximation of the image. We can significantly alleviate the effect of perturbations without performing any retraining. In a parallel approach (Entezari et al., 2020)

employs singular value decomposition to compute a low-rank approximation of graph to defend against adversarial attacks on graphs. However, this paper is the first to identify and leverage the observation that gradient-based attacks on deep learning image classifiers are manifested in high-rank components of a decomposition of the image.

3. Proposed Method

In this section, we first investigate the characteristics of adversarial attacks on networks designed for the task of image classification. Then we propose a tensor-based defense mechanism against these attacks which improves the performance of the network.

3.1. Characteristics of Image Perturbations

Assume a trained model with a high accuracy on clean images is given. Adversarial attacks perform perturbations on the clean images in a way that they are imperceptible to humans, yet are successful in deceiving the model to misclassify the perturbed instances. In other words, for a clean image and its corresponding perturbed image , the goal is to have: . The adversarial attacks do not preserve the spectral characteristics of images and add high frequency components to images to remain unnoticeable to the human eyes (Das et al., 2018). Perturbations in image domain are crafted in a way that mostly affect high frequency spectrum of images. Therefore, discarding the high frequency factors of the image using approaches like compression or low-rank approximation of images could be successful defense mechanisms against these type of perturbations. Therefore, a mechanism that only keeps the low-rank components of the image and discards the high-rank ones, can be successful in discarding the perturbations. In (Das et al., 2018), authors leverage JPEG compression to remove high frequency components of the image and alleviate the effect of perturbations. In this paper, we study the problem from a “matrix spectrum” point of view (i.e., the singular value profile and the intrinsic low-rank dimensionality of the data) and use tensor decomposition techniques to achieve a low-rank approximation of perturbed images.

3.2. Tensor-based Defense Mechanism

In this section, we briefly describe concepts and notations used in the paper.

A tensor, denoted by , is a multidimensional matrix. The order of a tensor is the number of modes/ways and is the number of indices required to index the tensor (Papalexakis et al., 2017). An RGB image is a three-mode tensor where the first and second modes correspond to the pixels and the third mode corresponds to the red, green, and blue channels, i.e. the frontal slices are red, green, and blue channels of the image. An RGB image of size is a 3-mode tensor of size , where and are width and height of the image, respectively.

To achieve a low-rank approximation of the perturbed images, we perform a tensor decomposition technique on the image and by choosing small values for the rank of the tensor, we reconstruct a low-rank approximation of the image which is fed to the deep network. The low-rank approximation of image discards high frequency perturbations which can improve the performance of the network on the perturbed images. However, traditional tensor decomposition techniques like CP/Parafac (Harshman, 1970) and Tucker(Tucker, 1966) are time-consuming and may slow down the neural network performance which makes our proposed method impractical for real-time defense. To overcome this issue, we leverage Tensor-Train decomposition (Oseledets, 2011)

which scales linearly with respect to the dimension of the tensor and was especially introduced to address the problem of curse of dimensionality

(Oseledets, 2011). This highly-desirable property of the Tensor-Train allows us to process images in batches which form a 4-mode tensor and perform the Tensor-Train decomposition on 4-mode tensors quite fast. For a batch of images, the size of the 4-mode tensor will be . Generally decomposing a 4-mode tensor is slower compared to a 3-mode one, however, by considering images in batches, some of the I/O overhead is reduced which results in almost the same processing time on the entire dataset. Furthermore, processing images in batches improves the performance of the model. The reason behind this is that decomposing images in batches, extracts latent structure corresponding to perturbations from multiple images and captures general characteristics of perturbations.

For a 4-mode tensor, the Tensor-Train decomposition can be written as follows:


Figure 2 illustrates the Tensor-Train decomposition of a 4-mode tensor.

Figure 2. Tensor-Train decomposition of a 4-mode tensor.

Another possible representation for the batch of images is to convert the 4-mode tensor to a 3-mode tensor by stacking the images along the third mode, i.e. stacking RGB channels and the result tensor will be of dimension . Figure 3 illustrates a 3-mode stacked tensor of images.

Figure 3. Stacking 3-mode images along the third mode.

There are other ways to convert a 4-mode tensor into a 3-mode one. For instance, another way is to flatten the RGB image into a matrix with three columns corresponding to the channels of the image. With this representation, the final tensor will be of size

. One disadvantage of this representation is that flattening the image ignores the spatial relationship of the pixels. Moreover, with this vectorized representation, the first dimension is much bigger than the other two dimensions and requires a larger value of rank to get a reasonable approximation of the image, and larger ranks make the decomposition slower. For these reasons, we do not consider the vectorized representation in our study. In the experimental evaluations that follows, we will examine different representation including single image versus batch of images and 3-mode tensors versus 4-mode tensors.

4. Experimental Evaluation

In this section, we show how the proposed method can successfully remove adversarial perturbations and we compare our results to Shield (SLQ). According to (Cornelius, 2019), original Shield evaluations has gained benefit from central cropping of images during evaluation, whereas the perturbations were generated with cropping being off. In all our evaluations, we disable the central cropping.

4.1. Experiment Setup

We performed experiments on the validation set of the ImageNet dataset which includes 50,000 images from 1,000 classes. All experiments are performed on the ResNet-v2 50 model from the TF-Slim module of TensorFlow. The adversarial attacks are from the CleverHans package 111https://github.com/tensorflow/cleverhans (Papernot et al., 2016a). We performed the experiments on a machine with one NVIDIA Titan Xp (12 GB) GPU. We used TensorLy 222https://github.com/tensorly/tensorly library in Python to perform tensor decomposition techniques (Kossaifi et al., 2019).

4.2. Parameter Tuning

In our evaluations, we express different configurations in form of a list as [tensor decomposition, tensor representation, batch size, rank] and we investigate the accuracy and runtime of the ResNet-v2 50 on 1000 images from the ImageNet dataset for different configurations. The possible values for each part of the configuration list is as follows:

  • Tensor decomposition: {Parafac, Tucker, Tensor-Train}

  • Tensor representation: {3-mode, 3-mode-stacked, 4-mode}

  • Batch size: {1, 5, 10, 20, 50}

  • Rank: varies by choice of tensor representation and decomposition.

Performing tensor decomposition for a batch of images can reduce the decomposition overhead compared to decomposing a single image and accelerates the entire evaluation process. Moreover, considering images in batches helps to better capture the pattern of perturbations from multiple images. However, the choice of the right batch size is important. A large batch of images needs larger ranks for decomposition and could get very slow. Also, in a large batch of images, the variety of images which are from different classes increases which deteriorates the performance of the decomposition. To find the best batch size, we perform a grid search on values 5, 10, 20, and 50. Tensor Train decomposition of a 4-mode tensor requires setting 3 values for the ranks. The first value corresponds to compressing the batches, the second value corresponds to compressing the image pixels, and the third value corresponds to compressing the RGB channels. We fix the first rank to the number of batches and the third rank to the number of channels i.e. 3. For the second rank, we search within range 40 to 150. Figure 4 shows the accuracy and runtime of the model for different batch sizes for Tensor-Train decomposition with ranks ranging from 50 to 120 with steps of 5. The figure also shows how processing single images (batch size 1) differs from batch sizes greater than 5. In the case that we are processing single images, the runtime increases as the rank gets larger, however, as the batch size increase, the runtime becomes less sensitive to the ranks and for the batch size 50 it will become almost constant for all the ranks. Batch size 5 produces the highest accuracy, while batch size 10 has the lowest runtime. There is a trade-off between runtime and accuracy. Based on the priorities of the system, one might sacrifice accuracy for speed.

Figure 5 shows the effect of different batch sizes on the 3-mode-stacked representation. Plots for batch sizes 5, 10, and 20 are almost identical in both accuracy and runtime. Batch size 50 produces the highest accuracy with the 3-mode-stacked representation. However, the highest accuracy with 3-mode-stacked representation is lower than the highest accuracy achieved using the 4-mode representation.

(a) Accuracy
(b) Runtime
Figure 4. Accuracy and runtime of ResNet-v2 50 over 1000 images attacked by FGSM (). Tensor-Train decomposition is applied on a single image (batch size 1) or 4-mode tensor of batches of size 5, 10, 20, and 50 to defend against FGSM perturbations.
(a) Accuracy
(b) Runtime
Figure 5. Accuracy and runtime of ResNet-v2 50 over 1000 images attacked by FGSM (). Tensor-Train decomposition is applied on a single image (batch size 1) or 3-mode-stacked tensor of batches of size 5, 10, 20, and 50 to defend against FGSM perturbations.

4.3. Results

As mentioned in Section 3, Tensor-Train performs much faster than Parafac and Tucker. Therefore, for the Parafac and Tucker, we only report the result for the configuration which corresponds to the maximum accuracy, as a reference for comparison against Tensor-Train. Table 1 shows the result.

Configurations PGD FGSM i-FGSM Runtime
() () () (seconds)
No defense 11.10 18.40 7.49
[Tensor-Train, 4-mode, 5, [5,90,3]] 51.53 43.59 50.46 675
[Tensor-Train, 4-mode, 10, [10,100,3]] 51.01 43.10 49.95 605
[Tensor-Train, 3-mode, 1, 40] 49.75 42.32 48.52 530
[Tucker, 3-mode-stacked, 30, [105,105,90]] 49.37 40.07 48.79 1050
[Parafac, 3-mode, 1, 60] 48.11 41.38 49.75 5500
SLQ 44.60 29.40 38.60 410
Table 1. Summary of accuracies and runtime of ResNet-v2 50 on ImageNet validation set against FGSM, i-FGSM, and PGD adversarial attacks for defenses with different configurations.

As illustrated in Table 1, Tensor-Train outperforms Tucker and Parafac with respect to both accuracy and runtime. Tensor-Train performed on 4-mode tensor has produces the highest accuracy. As explained earlier, processing images in batches better captures latent components corresponding to perturbation by leveraging higher-order correlations. Tensor-Train can be utilized with different tensor representations (3-mode, 3-mode-stacked, or 4-mode) to adjust to needs for higher accuracy or higher speed. While the 4-mode representation produces the highest accuracy, the 3-mode single image representation can be used to speed up the process, with small drop in the accuracy. SLQ is the fastest among all defenses, but it has the lowest accuracy.

Patch size Ranks Accuracy Runtime (seconds)
[50,50] [5,20,3] 48.35 1100
[150,150] [5,50,3] 50.96 765
No patching [5,90,3] 50.48 710
Table 2. Accuracies and runtime of ResNet-v2 50 on ImageNet validation set against PGD adversarial attacks with vaccinated using Tensor-Train with 4-mode tensor of batch size 5. Decomposition rank is randomly selected from a set of possible ranks. No patching is equivalent to full size image.

4.4. Introducing Randomness to the Defense Framework

Incorporating some randomness in the defense framework has makes the job of the attacker more difficult to deal with a random strategy rather than a fixed one. By selecting randomly from a set of ranks, we can add randomness to the tensor decomposition process. Another way is to split image into small patches, similar to local patches from Shield, and perform decomposition of random rank on each patch and stitch up the patches to reconstruct a randomized low-rank approximation of images. In a 4-mode tensor representation, splitting images into patches creates smaller 4-mode tensors, e.g. splitting a 4-mode tensor including 5 batches of images with size into patches of size creates 6 tensors of size . Table 2 shows the results of incorporating randomness with tensor decomposition.

5. Conclusions

In this paper, we explored to what extent low-rank tensor decomposition of perturbed images during the preprocessing step helps to defend against adversarial attacks. The low-rank approximation of the perturbed image is then fed to the deep network for the task of classification. We evaluated our method against popular adversarial attacks: FGSM, I-FGSM, and PGD. We illustrated that considering images in small batches better captures the latent structure of perturbations and helps to improve the performance of the model. We also showed that how different configurations allow to trade-off between accuracy and runtime.