Defending Against Adversarial Examples Via Modeling Adversarial Noise
Zhou, Dawei Wang, Nannan Han, Bo Liu, Tongliang Gao, Xinbo
Zhou, Dawei
Wang, Nannan
Han, Bo
Liu, Tongliang
Gao, Xinbo
Supervisor
Department
Machine Learning
Embargo End Date
Type
Journal article
Date
2025
License
Language
English
Collections
Research Projects
Organizational Units
Journal Issue
Abstract
Adversarial examples have become a major threat to the reliable application of deep learning models. Meanwhile, this issue promotes the development of adversarial defenses. Adversarial noise contains well-generalizing and misleading features, which can manipulate predicted labels to be flipped maliciously. Motivated by this, we study modeling adversarial noise for defending against adversarial examples by learning the transition relationship between adversarial labels (i.e., flipped labels caused by adversarial noise) and natural labels (i.e., real labels of natural samples). In this work, we propose an adversarial defense method from the perspective of modeling adversarial noise. Specifically, we construct an instance-dependent label transition matrix to represent the label transition relationship for explicitly modeling adversarial noise. The label transition matrix is obtained from the input sample by leveraging a label transition network. By exploiting the label transition matrix, we can infer the natural label from the adversarial label and thus correct wrong predictions misled by adversarial noise. Additionally, to enhance the robustness of the label transition network, we design an adversarial robustness constraint at the transition matrix level. Experimental results demonstrate that our method effectively improves the robust accuracy against multiple attacks and exhibits great performance in detecting adversarial input samples.
Citation
D. Zhou, N. Wang, B. Han, T. Liu, and X. Gao, “Defending Against Adversarial Examples Via Modeling Adversarial Noise,” International Journal of Computer Vision 2025, pp. 1–18, May 2025, doi: 10.1007/S11263-025-02467-7.
Source
International Journal of Computer Vision
Conference
Keywords
Adversarial attack, Adversarial defense, Modeling adversarial noise, Transition matrix
Subjects
Source
Publisher
Springer Nature