FenceBox: A Platform for Defeating Adversarial Examples with Data Augmentation Techniques

This operation adds randomness to the basic affine transformations. Three basic preprocessing procedures (translation, rotation, and scaling) are integrated to remove the adversarial perturbation on AEs. As a result, this method contains three coefficients for the three affine transformations: the translation limit $T$, the rotation limit $R$, and the scaling limit $S$. The coefficients used in FenceBox are: $T=0.16$, $R=4$, and $S=0.16$.

For each image to be preprocessed, (1) it will be first shifted up by $\Delta_{y}$ pixels, and shifted left by $\Delta_{x}$ pixels. Here $\Delta_{y}$ and $\Delta_{x}$ are separately acquired by $\Delta=\delta\times l$, where $l$ is the side length and $\delta$ is acquired from a uniform distribution in the range of $(-T,T)$. (2) Then, the input sample will be rotated by $\delta_{r}\times\pi/180$ degrees, where $\delta_{r}$ is acquired from a uniform distribution in the range of $(-R,R)$. (3) Finally, the image’s height and width will be scaled up to $\delta_{s}$ times, where $\delta_{s}$ is sampled from a uniform distribution in the range of $(1-S,1+S)$. If $\delta_{s}$ is larger than 1, the final output will be obtained following a center cropping procedure to attain the original size. Otherwise, a center zero-padding will be adopted to output the original size.

Cropping is a widely adopted augmentation technique in the computer vision domain to inflate the training dataset [38, 39]. [17] adopted random cropping with a kernel size of $90\times 90$ to defeat gradient-based adversarial attacks In FenceBox, we further develop RSCA, a cropping strategy with random sized kernels to enhance the defense results. RSCA has two coefficients: the minimum limitation $\theta$ and the aspect ration of cropping $\eta$. We choose $\theta=0.66$ and $\eta=0.91$ in FenceBox to get the optimal defense results.

This operation first sets the new height of the cropped image as $h_{new}\in(h\times\theta,h)$, and the new width as $w_{new}=\left\lfloor h_{new}\times\eta\right\rfloor$. The coordinate $y_{1}$ for the crop is set as $y1=\left\lfloor(h-h_{new})\times{rand}_{h}\right\rfloor$, and $y_{2}$ is by adding $h_{new}$ to $y_{1}$. The coordinates $x_{1}$ and $x_{2}$ can be calculated following this same strategy with ${rand}_{w}$, where ${rand}_{h}$ and ${rand}_{w}$ are sampled independently from ${U}(0,1)$. Then the original input is cropped with those four coordinates. Finally, the output image is obtained by resizing the image to its original size.

Padding is another widely adopted data augmentation technique in deep learning tasks. In [19], a random padding layer is added to the target model to protect the classification results from adversarial attacks. Following this strategy, we present an advanced random padding technique, RSPA. It has only one coefficient, the scaling limit $\lambda$. We set this value as 1.3 in our platform.

This operation first sets $\lambda_{h}=\lambda\times h$ as the maximum bound size for the scaling. Then it resizes the image to $(h_{new},h_{new})$, where $h_{new}$ is an integer acquired from $U(h,\lambda_{h})$. It randomly selects a pixel from the resized image as the center of padding and pad the image to the shape of $(\lambda_{h},\lambda_{h})$ with a value of 0.5. Finally, the output is acquired by resizing the image to the original shape.

Simard et al. [40] proposed a data augmentation method, Elastic Distortions Transform, to expand the training dataset with respect to convolutional layers. With this operation, each pixel is displaced with elastic deformation, which can presumably remove adversarial perturbations. Elastic Transformation can randomly produce a more distorted image than the operations based on affine distortion (SAT, RSCA, RSPA, RDG [28]). This can be visually observed in Figure 1. In FenceBox, we design SET, an improved Elastic Transformation with randomness to further reduce the effects of adversarial attacks. SET can be interpreted as a two-stage process, where the first stage conducts a random basic affine transformation, followed by a random elastic distortion using Gaussian filter globally. Three coefficients are concerned in SET, the scale limit for the basic scaling procedure $\theta$, the standard deviation of the Gaussian kernel $\sigma$, and the elastic distortion scale index $\alpha$. The optimal values through testing are $\theta=20$, $\sigma=10$, and $\alpha=60$.

For each input, we first compute the expected affine effects by adding a random value $\delta\in U(-\theta,\theta)$ to the three pixels’ coordinates. A random affine matrix is calculated based on the original coordinates and the processed coordinates. Then we apply this affine transformation globally according to the affine matrix. We generate two matrices of the same shape with each value randomly sampled from $U(-1,1)$. We compute the variation maps ($\delta_{x}$ and $\delta_{y}$) for horizontal and vertical coordinates, by multiplying $\alpha$ with the convolution result of the random matrices and Gaussian kernel with a standard deviation of $\sigma$. The maps for remapping is obtained by adding $\delta_{x}$ to each horizontal coordinates, and $\delta_{y}$ to each vertical coordinates. Using these new coordinates, SET finally outputs the distorted image.

This technique was first proposed in [28] to invalidate the BPDA attack. The preprocessed images from RDG look quite similar to the ones from SET, as both of them conduct a remapping procedure to translate or distort the pixels away from each other. Different from SET which uses a Gaussian kernel to implement random distortion globall, RDG builds up grids vertically and horizontally to constrain the distortion in between. This can maintain a higher accuracy on clean samples. To tune RDG, two coefficients should be taken into consideration: the number of grids $d$, and the distortion limit $\delta$. The optimal coefficients used in FenceBox are $d=26$, $\delta=0.33$.

RDG first selects a corner to start generating $d$ grids uniformly. Between each two grids, it generates a distortion index $\Delta\in U(-\delta,\delta)$ and multiply it with the corresponding coordinates to get new coordinates. The newly coordinates is then used to map the original pixels to produce a distorted image.

This method [32] is based on the standard JPEG compression. Since the adversarial perturbations could also exist inside the low-frequency bands which are normally ignored by naive JPEG, FD introduces an upgraded JPEG quantization operation to preprocess the input images. It measures the importance of input features for DNNs but not for human eyes by leveraging the statistical frequency component analysis within the DCT of JPEG. The adoption of this quantization operation can significantly improve the defense strength. This method can be further recursively deployed to improve the defense results.

This technique [41] conducts a simple quantization procedure over the input image to squeeze the 8-bit (for each channel in the RGB image) images to fewer bits. For instance, for a sample from the ImageNet dataset, each pixel has three values for three channels of RGB ranging from 0 to 255, which can be represented by 8-bit. By conducting the shifting procedure to each pixel, we can attain images represented by fewer bits, thus the possible number of pixel values is reduced. Previous work [41] demonstrated that BdR can achieve a satisfactory defense result against various standard adversarial attacks, especially for small-scale image datasets (MNIST and CIFAR-10). However, effectiveness of this method against more advanced attacks are never considered. In FenceBox, we adopt the same coefficients as in [41], which downgrade the depth to 3-bit.

This approach [20] aims to randomize the quantization operation by assigning a different quantization factor for each window during the JPEG compression process. The Stochastic Local Quantization (SLQ) method is used to divide an image into $8\times 8$ blocks and apply a randomly selected JPEG compression quality (tuning quantization factors) to every block. SHIELD can achieve a slight improvement of classification accuracy than naive JPEG compression. However, it is unknown whether it can be used to defeat advanced adversarial attacks. In FenceBox, we adopt the same coefficients as [20].

We designed R-JPEG, a novel compression technique by adding randomness to the quantization factor. Different from SHIELD which adopts different quantization factors for different blocks, R-JPEG samples a random value from $U(Q_{min},Q_{max})$ for all the windows as the quantization factor, where $Q_{min}$ and $Q_{max}$ are the two boundaries for the randomized quantization factor. As a result, the block generation and quantization value assignment is simplified, making R-JPEG more lightweight. Our evaluations indicate that R-JPEG can achieve a similar defense result as SHIELD. The coefficients are set as $Q_{min}=20$, $Q_{max}=80$ in FenceBox.

This technique [42] was originally proposed to improve the image compression rate, to meet the trend that high-resolution images are becoming more common in recent years [43]. Lossy WebP compression adopts predictive coding to encode an image, which uses the values in neighboring blocks of pixels to predict the values in a block and then only encodes the difference [42]. Similar to JPEG compression, WebP also includes a quantization procedure. Thus, a coefficient is also introduced to control the quantization scale. By adding randomness to this factor, R-WebP can achieve a better defense result against adversarial examples. Similar to R-JPEG, we sample a random quantization factor for each different input image from $U(Q_{min},Q_{max})$.

Motion blur is ubiquitous in real-world photography, especially with resource-constrained devices, e.g., cell phones, on-board cameras [44]. Past works [8] have demonstrated that realistic settings like motion blur caused by certain angles and noise can invalidate adversarial examples. Hence, we propose SMB, which inject randomness to the process of a simulation of motion blur to remove adversarial perturbations. The motion blur in this method is achieved by convoluting a small-size normalized kernel globally.

Specifically, SMB first selects a random value $\phi$ from $U(3,\delta)$ as the size of the blurring kernel, where $\delta$ represents the blurring limit. Then a kernel with a random size of $(\phi,\phi)$ is generated by randomly drawing a straight line on the $(\phi,\phi)$ shaped white canvas. After normalizing the kernel, we move and convolute this kernel globally on the input to apply the motion blur. We set the value of $\delta$ as 9 to ensure model accuracy and defense effects concurrently.

Glass Blur was proposed in [45] to evaluate the robustness of neural networks against common corruptions and perturbations. It simulates the effects of looking through a frosted glass. We add randomness into the Glass Blur process to further hinder the generation of adversarial examples. In [45], only 5 sets of coefficients are adopted as the severity index ranging from 1 to 5. In FenceBox, We further enlarge the set of coefficients to add higher randomness to the preprocessing. For each sample, Our Stochastic Glass Blur method conducts a stochastic initialization: it first selects a random standard deviation $\sigma$ from $U(0.7,1.5)$ as the Gaussian kernel, a random distance limit $\delta_{max}$ from from $[1,2,3,4]$ for pixels to be swapped , and a random number of interactions $I$ from $[1,2,3]$ to conduct the operation.

It has been shown that most of the Neural Networks are robust against certain amount of Gaussian Noise. Thus, the injection of Gaussian Noise to some extent can remove or obfuscate adversarial perturbations without harming the classification result. We improve this strategy by adding a constraint range with the standard deviation to ensure higher randomness and model accuracy at the same time. For each sample, our Random Gaussian Noise technique produces a random value from $\sigma_{min},\sigma_{max}$ as the standard deviation for the Gaussian Noise generator. Our evaluations suggest $\sigma_{min}=0.0005$, $\sigma_{max}=0.005$ and a mean value of $0$ for the Gaussian function as the optimal coefficients for the defense.

Coarse Dropout and Cutout are simple image distortion methods to cut off small boxes from the original input. This method is evaluated for the robustness of a deep learning network in [45]. Since adversarial examples have less robustness than clean images [17], this dropout strategy can potentially counter a number of adversarial attacks. We designed a new strategy, RSCD, which includes randomness to the coefficients of the Coarse Dropout procedure for better defense effects against adversarial attacks. RSCD randomly drops $n$ boxes, where $n$ is sampled from $\left\lfloor U(0,\lambda)\right\rfloor$. Each box is within the height of $h$ pixels and width of $w$ pixels, where $h$ and $w$ are sampled from $\left\lfloor U(1,\rho)\right\rfloor$ independently. The locations of those boxes over the entire image follow a uniform distribution ranging from $0$ to the original side length of the input. The optimal coefficients we evaluate to achieve the best defense effects are $\lambda=8$, and $\rho=8$.

This technique [18] adds random noise that are not sensitive to the DNN model to mitigate adversarial attacks. The conduction of deflection is to randomly sample a pixel from the input image and replace it with another randomly selected pixel within a small square neighborhood. Such a procedure can generate artificial noise that incur negligible impact on the DNN model, but disturb the adversarial perturbations. The introduction of such randomness can achieve satisfactory defense results against standard attacks [18]. However, whether it can mitigate advanced attacks is never explored. We include it in FenceBox as a potential (part of the) defense solution.

We follow the same setup in Section 5.1. We consider the EOT and BPDA+EOT attacks. For EOT, we select an ensemble size of 30 for calculating the expected gradients³³3We tested different ensemble sizes from 2 to 40. These sizes have little influence on ASR and ACC. A larger ensemble size can generate AEs smaller than $l_{2}$.. We select RDG as $g_{1}$ and FD as $g_{2}$. We measure the performance of individual RDG, FD and their combination FD+RDG under BPDA, EOT and BPDA+EOT attacks. The ACC and ASR are shown in TABLE IV and TABLE V, respectively.

We observe that a single RDG is vulnerable to EOT with an ACC of 0.09 and ASR of 0.82. FD is able to defeat EOT, but has a low ACC (0.39) for the BPDA bounded attack. However, if we concatenate the RDG and FD together as FD+RDG, we can get a good defense solution that significantly outperforms each individual function: it has a better ACC than RDG under the BPDA bounded attack and can maintain ACC as 0.60 for 50 rounds of the BPDA+EOT attack. Moreover, the ASR of BPDA+EOT at 50 rounds is only 0.06. We perform more rounds of the attack until the images with adversarial perturbations reach the bound ($l_{2}=0.05$). FD+RDG is able to maintain a model accuracy of 58% and reduce the attack success rate below 7%.

We consider more sophisticated attacks. Although the adversary cannot use EOT to attack the entire preprocessing function $g(\cdot)$, it is possible that he can generate AEs only based on the differentiable component. In our case, the adversary can ignore the existence of $g_{2}$ and perform EOT on the operation $g_{1}$ only. With the generated AE, the adversary can test if it can defeat $g_{2}$ as well. He can repeat the above procedure until a proper AE is found that can fool both $g_{1}$ and $g_{2}$. Figure 3(a) and 3(b) show the ACC and ASR of this adaptive attack (red line with dots) versus the baseline case without any defenses (green line with triangle). We can observe that after 50 rounds, the ACC of FD+RDG is 40% and the ASR is 40%.

Although this attack can defeat FD+RDG to some extent, it is not very practical as the cost of generating such adversarial examples is very high. It is worth noting that in this attack, EOT is used to target the randomization operation $g_{1}$ only. For the non-differentiable operation $g_{2}$ (i.e., FD), the adversary has to use a brute-force fashion to handle: trying different AEs generated from EOT targeting only $g_{1}$ until an AE is discovered that can fool $g_{1}\circ g_{2}$. Its attack success rate is highly dependent on the robustness of $g_{2}$: a stronger $g_{2}$ can significantly increase the attack cost or even totally mitigate it. For instance, we can follow the idea in [32] to stack one extra FD operation in $g$: FD$\times 2$+RDG. Then the ACC after 50 rounds increases to 55% and the ASR drops to 17% (orange line with pentagon in Figure 3). We can further increase the robustness of $g_{2}$ with FD$\times 3$ operations, and the defense results are better (orange line with triangle). TABLE VI shows the attack rounds required to reach specific ASRs. This can also validate our conclusions.