Improving Convolutional Neural Network Robustness to Adversarial Images Through Image Filtering

Author

Natalie E. Bogda, University of Tennessee, KnoxvilleFollow

Date of Award

8-2020

Degree Type

Thesis

Degree Name

Master of Science

Major

Computer Science

Major Professor

Amir Sadovnik

Committee Members

Jens Gregor, Jian Liu

Abstract

The field of computer vision and deep learning is known for its ability to recognize images with extremely high accuracy. Convolutional neural networks exist that can correctly classify 96\% of 1.2 million images of complex scenes. However, with just a few carefully positioned imperceptible changes to the pixels of an input image, an otherwise accurate network will misclassify this almost identical image with high confidence. These perturbed images are known as \textit{adversarial examples} and expose that convolutional neural networks do not necessarily "see" the world in the way that humans do. This work focuses on increasing the robustness of classifiers to these adversarial examples using image filtering. The goal of this work is to find a middle ground between state-of-the-art accuracy and robustness in defense even as the adversary strength increases. This work focuses on images from three data sets: The MNIST Dataset of Handwritten Digits, CIFAR-10, and a custom data set collected using a cross-reference of ImageNet and CINIC-10. Two types of classifiers are made robust in this work: support vector machines and convolutional neural networks. Two types of adversarial attacks are compared and contrasted as multiple image processing techniques are applied to the affected data sets. For smaller images, it is found that resizing the image or blurring the image using the Gaussian filter are the most effective techniques in increasing robustness. The Gaussian blur improved classification accuracy from 8\% to 65\% on the strongest attack in the CIFAR-10 data set. For larger images, it was found that a sequence of the median and Gaussian filter masks the adversarial noise most effectively, and is the most robust defense when used in combination with a model trained on images filtered with the same technique. The largest improvement using this method increased image classification accuracy from 7\% to 57\% when applied to the strongest adversarial attack.

Recommended Citation

Bogda, Natalie E., "Improving Convolutional Neural Network Robustness to Adversarial Images Through Image Filtering. " Master's Thesis, University of Tennessee, 2020.
https://trace.tennessee.edu/utk_gradthes/6238