Defend Against Adversarial Samples by Using Perceptual Hash

作     者：Changrui Liu Dengpan Ye Yueyun Shang Shunzhi Jiang Shiyu Li Yuan Mei Liqiang Wang 

作者机构：Key Laboratory of Aerospace Information Security and Trusted ComputingMinistry of EducationSchool of Cyber Science and EngineeringWuhan UniversityWuhan430072China School of Mathematics and StatisticsSouth Central University for NationalitiesWuhan430074China University of Central Florida4000 Central Florida Blvd.OrlandoFlorida32816USA 

出 版 物：《Computers, Materials & Continua》 (计算机、材料和连续体（英文）)

年 卷 期：2020年第62卷第3期

页      面：1365-1386页

核心收录：

学科分类：0831[工学-生物医学工程（可授工学、理学、医学学位）] 0808[工学-电气工程] 0809[工学-电子科学与技术（可授工学、理学学位）] 08[工学] 0805[工学-材料科学与工程（可授工学、理学学位）] 0701[理学-数学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 0801[工学-力学（可授工学、理学学位）] 

基　　金：The work is supported by the National Key Research Development Program of China(2016QY01W0200) the National Natural Science Foundation of China NSFC(U1636101,U1736211,U1636219). 

主　　题：Image classifiers deep neural networks adversarial samples attack defense perceptual hash image similarity 

摘      要：Image classifiers that based on Deep Neural Networks(DNNs)have been proved to be easily fooled by well-designed perturbations.Previous defense methods have the limitations of requiring expensive computation or reducing the accuracy of the image classifiers.In this paper,we propose a novel defense method which based on perceptual hash.Our main goal is to destroy the process of perturbations generation by comparing the similarities of images thus achieve the purpose of defense.To verify our idea,we defended against two main attack methods(a white-box attack and a black-box attack)in different DNN-based image classifiers and show that,after using our defense method,the attack-success-rate for all DNN-based image classifiers decreases significantly.More specifically,for the white-box attack,the attack-success-rate is reduced by an average of 36.3%.For the black-box attack,the average attack-success-rate of targeted attack and non-targeted attack has been reduced by 72.8%and 76.7%respectively.The proposed method is a simple and effective defense method and provides a new way to defend against adversarial samples.