Rethinking Adversarial Examples Exploiting Frequency-Based Analysis

Sicong Han; Chenhao Lin; Chao Shen; Qian Wang

doi:10.1007/978-3-030-88052-1_5

Rethinking Adversarial Examples Exploiting Frequency-Based Analysis

Sicong Han
, Chenhao Lin
, Chao Shen
, Qian Wang

Faculty of Electronic and Information Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

Deep neural networks (DNNs) have been recently found vulnerable to adversarial examples. Several previous works attempt to relate the low-frequency or high-frequency parts of adversarial inputs with the robustness of models. However, these studies lack comprehensive experiments and thorough analyses and even yield contradictory results. This work comprehensively explores the connection between the robustness of models and properties of adversarial perturbations in the frequency domain using six classic attack methods and three representative datasets. We visualize the distribution of successful adversarial perturbations using Discrete Fourier Transform and test the effectiveness of different frequency bands of perturbations on reducing the accuracy of classifiers through a proposed quantitative analysis. Experimental results show that the characteristics of successful adversarial perturbations in the frequency domain can vary from dataset to dataset, while their intensities are greater in the effective frequency bands. We analyze the obtained phenomena by combining principles of attacks and properties of datasets and offer a complete view of adversarial examples from the frequency domain perspective, which helps to explain the contradictory parts of previous works and provides insights for future research.

Original language	English
Title of host publication	Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings
Editors	Debin Gao, Qi Li, Xiaohong Guan, Xiaofeng Liao
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	73-89
Number of pages	17
ISBN (Print)	9783030880514
DOIs	https://doi.org/10.1007/978-3-030-88052-1_5
State	Published - 2021
Event	23rd International Conference on Information and Communications Security, ICICS 2021 - Chongqing, China Duration: 19 Nov 2021 → 21 Nov 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12919 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	23rd International Conference on Information and Communications Security, ICICS 2021
Country/Territory	China
City	Chongqing
Period	19/11/21 → 21/11/21

Keywords

Adversarial examples
Frequency analysis
Model robustness

Access to Document

10.1007/978-3-030-88052-1_5

Cite this

Han, S., Lin, C., Shen, C., & Wang, Q. (2021). Rethinking Adversarial Examples Exploiting Frequency-Based Analysis. In D. Gao, Q. Li, X. Guan, & X. Liao (Eds.), Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings (pp. 73-89). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12919 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-88052-1_5

Han, Sicong ; Lin, Chenhao ; Shen, Chao et al. / Rethinking Adversarial Examples Exploiting Frequency-Based Analysis. Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings. editor / Debin Gao ; Qi Li ; Xiaohong Guan ; Xiaofeng Liao. Springer Science and Business Media Deutschland GmbH, 2021. pp. 73-89 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{53777437dbce4e5ea17deafe4bfb434b,

title = "Rethinking Adversarial Examples Exploiting Frequency-Based Analysis",

abstract = "Deep neural networks (DNNs) have been recently found vulnerable to adversarial examples. Several previous works attempt to relate the low-frequency or high-frequency parts of adversarial inputs with the robustness of models. However, these studies lack comprehensive experiments and thorough analyses and even yield contradictory results. This work comprehensively explores the connection between the robustness of models and properties of adversarial perturbations in the frequency domain using six classic attack methods and three representative datasets. We visualize the distribution of successful adversarial perturbations using Discrete Fourier Transform and test the effectiveness of different frequency bands of perturbations on reducing the accuracy of classifiers through a proposed quantitative analysis. Experimental results show that the characteristics of successful adversarial perturbations in the frequency domain can vary from dataset to dataset, while their intensities are greater in the effective frequency bands. We analyze the obtained phenomena by combining principles of attacks and properties of datasets and offer a complete view of adversarial examples from the frequency domain perspective, which helps to explain the contradictory parts of previous works and provides insights for future research.",

keywords = "Adversarial examples, Frequency analysis, Model robustness",

author = "Sicong Han and Chenhao Lin and Chao Shen and Qian Wang",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.; 23rd International Conference on Information and Communications Security, ICICS 2021 ; Conference date: 19-11-2021 Through 21-11-2021",

year = "2021",

doi = "10.1007/978-3-030-88052-1\_5",

language = "英语",

isbn = "9783030880514",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "73--89",

editor = "Debin Gao and Qi Li and Xiaohong Guan and Xiaofeng Liao",

booktitle = "Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings",

}

Han, S, Lin, C , Shen, C & Wang, Q 2021, Rethinking Adversarial Examples Exploiting Frequency-Based Analysis. in D Gao, Q Li, X Guan & X Liao (eds), Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12919 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 73-89, 23rd International Conference on Information and Communications Security, ICICS 2021, Chongqing, China, 19/11/21. https://doi.org/10.1007/978-3-030-88052-1_5

Rethinking Adversarial Examples Exploiting Frequency-Based Analysis. / Han, Sicong; Lin, Chenhao ; Shen, Chao et al.
Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings. ed. / Debin Gao; Qi Li; Xiaohong Guan; Xiaofeng Liao. Springer Science and Business Media Deutschland GmbH, 2021. p. 73-89 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12919 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Rethinking Adversarial Examples Exploiting Frequency-Based Analysis

AU - Han, Sicong

AU - Lin, Chenhao

AU - Shen, Chao

AU - Wang, Qian

PY - 2021

Y1 - 2021

N2 - Deep neural networks (DNNs) have been recently found vulnerable to adversarial examples. Several previous works attempt to relate the low-frequency or high-frequency parts of adversarial inputs with the robustness of models. However, these studies lack comprehensive experiments and thorough analyses and even yield contradictory results. This work comprehensively explores the connection between the robustness of models and properties of adversarial perturbations in the frequency domain using six classic attack methods and three representative datasets. We visualize the distribution of successful adversarial perturbations using Discrete Fourier Transform and test the effectiveness of different frequency bands of perturbations on reducing the accuracy of classifiers through a proposed quantitative analysis. Experimental results show that the characteristics of successful adversarial perturbations in the frequency domain can vary from dataset to dataset, while their intensities are greater in the effective frequency bands. We analyze the obtained phenomena by combining principles of attacks and properties of datasets and offer a complete view of adversarial examples from the frequency domain perspective, which helps to explain the contradictory parts of previous works and provides insights for future research.

AB - Deep neural networks (DNNs) have been recently found vulnerable to adversarial examples. Several previous works attempt to relate the low-frequency or high-frequency parts of adversarial inputs with the robustness of models. However, these studies lack comprehensive experiments and thorough analyses and even yield contradictory results. This work comprehensively explores the connection between the robustness of models and properties of adversarial perturbations in the frequency domain using six classic attack methods and three representative datasets. We visualize the distribution of successful adversarial perturbations using Discrete Fourier Transform and test the effectiveness of different frequency bands of perturbations on reducing the accuracy of classifiers through a proposed quantitative analysis. Experimental results show that the characteristics of successful adversarial perturbations in the frequency domain can vary from dataset to dataset, while their intensities are greater in the effective frequency bands. We analyze the obtained phenomena by combining principles of attacks and properties of datasets and offer a complete view of adversarial examples from the frequency domain perspective, which helps to explain the contradictory parts of previous works and provides insights for future research.

KW - Adversarial examples

KW - Frequency analysis

KW - Model robustness

UR - https://www.scopus.com/pages/publications/85116014997

U2 - 10.1007/978-3-030-88052-1_5

DO - 10.1007/978-3-030-88052-1_5

M3 - 会议稿件

AN - SCOPUS:85116014997

SN - 9783030880514

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 73

EP - 89

BT - Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings

A2 - Gao, Debin

A2 - Li, Qi

A2 - Guan, Xiaohong

A2 - Liao, Xiaofeng

PB - Springer Science and Business Media Deutschland GmbH

T2 - 23rd International Conference on Information and Communications Security, ICICS 2021

Y2 - 19 November 2021 through 21 November 2021

ER -

Han S, Lin C , Shen C, Wang Q. Rethinking Adversarial Examples Exploiting Frequency-Based Analysis. In Gao D, Li Q, Guan X, Liao X, editors, Information and Communications Security - 23rd International Conference, ICICS 2021, Proceedings. Springer Science and Business Media Deutschland GmbH. 2021. p. 73-89. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-88052-1_5

Rethinking Adversarial Examples Exploiting Frequency-Based Analysis

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this