Simplicial-Map Neural Networks Robust to Adversarial Examples

Eduardo Paluzo-Hidalgo; Rocio Gonzalez-Diaz; Miguel A. Gutiérrez-Naranjo; Jónathan Heras

doi:10.3390/math9020169

Simplicial-Map Neural Networks Robust to Adversarial Examples

Mathematics ◽

10.3390/math9020169 ◽

2021 ◽

Vol 9 (2) ◽

pp. 169

Author(s):

Eduardo Paluzo-Hidalgo ◽

Rocio Gonzalez-Diaz ◽

Miguel A. Gutiérrez-Naranjo ◽

Jónathan Heras

Keyword(s):

Neural Network ◽

Neural Networks ◽

Algebraic Topology ◽

Classification Problem ◽

Classification Model ◽

The Neural Network ◽

Input Dataset ◽

Adversarial Examples ◽

Simplicial Map ◽

Adversarial Example

Broadly speaking, an adversarial example against a classification model occurs when a small perturbation on an input data point produces a change on the output label assigned by the model. Such adversarial examples represent a weakness for the safety of neural network applications, and many different solutions have been proposed for minimizing their effects. In this paper, we propose a new approach by means of a family of neural networks called simplicial-map neural networks constructed from an Algebraic Topology perspective. Our proposal is based on three main ideas. Firstly, given a classification problem, both the input dataset and its set of one-hot labels will be endowed with simplicial complex structures, and a simplicial map between such complexes will be defined. Secondly, a neural network characterizing the classification problem will be built from such a simplicial map. Finally, by considering barycentric subdivisions of the simplicial complexes, a decision boundary will be computed to make the neural network robust to adversarial attacks of a given size.

Endek Classification Based On GLCM Using Artificial Neural Networks with Adam Optimization

JELIKU (Jurnal Elektronik Ilmu Komputer Udayana) ◽

10.24843/jlk.2020.v09.i02.p16 ◽

2020 ◽

Vol 9 (2) ◽

pp. 285

Author(s):

Putu Wahyu Tirta Guna ◽

Luh Arida Ayu Ayu Rahning Putri

Keyword(s):

Neural Network ◽

Neural Networks ◽

Artificial Neural Networks ◽

Back Propagation ◽

Classification Problem ◽

Model Accuracy ◽

Computing Power ◽

The Neural Network ◽

Extraction Algorithm ◽

Better Than

Not many people know that endek cloth itself has 4 known variances. .Nowadays. Computing and classification algorithm can be implemented to solve classification problem with respect to the features data as input. We can use this computing power to digitalize these endek pattern. The features extraction algorithm used in this research is GLCM. Where these data will act as input for the neural network model later. There is a lot of optimizer algorithm to use in back propagation phase. In this research we prefer to use adam which is one of the newest and most popular optimizer algorithm. To compare its performace we also use SGD which is older and popular optimizer algorithm. Later we find that adam algorithm generate 33% accuracy which is better than what SGD algorithm give, it is 23% accuracy. Longer epoch also give affect for overall model accuracy.

Research on an Adaptive Neural Network K-Pixel Adversarial Example Generation Algorithm

Journal of Circuits System and Computers ◽

10.1142/s0218126622500074 ◽

2021 ◽

pp. 2250007

Author(s):

Chunlong Fan ◽

Cailong Li ◽

Jici Zhang ◽

Yiping Teng ◽

Jianzhong Qiao

Keyword(s):

Neural Network ◽

Neural Networks ◽

Image Classification ◽

Classification Problems ◽

Generation Algorithm ◽

Linear Classifiers ◽

Example Generation ◽

Adversarial Examples ◽

Adversarial Example ◽

Low Dimensional

Neural network technology has achieved good results in many tasks, such as image classification. However, for some input examples of neural networks, after the addition of designed and imperceptible perturbations to the examples, these adversarial examples can change the output results of the original examples. For image classification problems, we derive low-dimensional attack perturbation solutions on multidimensional linear classifiers and extend them to multidimensional nonlinear neural networks. Based on this, a new adversarial example generation algorithm is designed to modify a specified number of pixels. The algorithm adopts a greedy iterative strategy, and gradually iteratively determines the importance and attack range of pixel points. Finally, experiments demonstrate that the algorithm-generated adversarial example is of good quality, and the effects of key parameters in the algorithm are also analyzed.

GAN-based classifier protection against adversarial attacks

Journal of Intelligent & Fuzzy Systems ◽

10.3233/jifs-200280 ◽

2020 ◽

Vol 39 (5) ◽

pp. 7085-7095

Author(s):

Shuqi Liu ◽

Mingwen Shao ◽

Xinping Liu

Keyword(s):

Neural Network ◽

Deep Neural Networks ◽

Significant Progress ◽

Security Issue ◽

Generative Adversarial Network ◽

Adversarial Network ◽

The Neural Network ◽

Benchmark Datasets ◽

Adversarial Examples ◽

Adversarial Example

In recent years, deep neural networks have made significant progress in image classification, object detection and face recognition. However, they still have the problem of misclassification when facing adversarial examples. In order to address security issue and improve the robustness of the neural network, we propose a novel defense network based on generative adversarial network (GAN). The distribution of clean - and adversarial examples are matched to solve the mentioned problem. This guides the network to remove invisible noise accurately, and restore the adversarial example to a clean example to achieve the effect of defense. In addition, in order to maintain the classification accuracy of clean examples and improve the fidelity of neural network, we input clean examples into proposed network for denoising. Our method can effectively remove the noise of the adversarial examples, so that the denoised adversarial examples can be correctly classified. In this paper, extensive experiments are conducted on five benchmark datasets, namely MNIST, Fashion-MNIST, CIFAR10, CIFAR100 and ImageNet. Moreover, six mainstream attack methods are adopted to test the robustness of our defense method including FGSM, PGD, MIM, JSMA, CW and Deep-Fool. Results show that our method has strong defensive capabilities against the tested attack methods, which confirms the effectiveness of the proposed method.

Generating adversarial images to monitor the training state of a CNN model

Current Directions in Biomedical Engineering ◽

10.1515/cdbme-2021-2077 ◽

2021 ◽

Vol 7 (2) ◽

pp. 303-306

Author(s):

Ning Ding ◽

Knut Möller

Keyword(s):

Neural Network ◽

Neural Networks ◽

Deep Neural Networks ◽

Classification Model ◽

Training Phase ◽

Medicine Quality ◽

Adversarial Examples ◽

Future Work ◽

Training State ◽

Model Robustness

Abstract Deep neural networks have shown effectiveness in many applications, however, in regulated applications like automotive or medicine, quality guarantees are required. Thus, it is important to understand the robustness of the solutions to perturbations in the input space. In order to identify the vulnerability of a trained classification model and evaluate the effect of different perturbations in the input on the output class, two different methods to generate adversarial examples were implemented. The adversarial images created were developed into a robustness index to monitor the training state and safety of a convolutional neural network model. In the future work, some generated adversarial images will be included into the training phase to improve the model robustness.

Hardening Deep Neural Networks in Condition Monitoring Systems against Adversarial Example Attacks

Machine Learning for Cyber Physical Systems - Technologien für die intelligente Automation ◽

10.1007/978-3-662-62746-4_11 ◽

2020 ◽

pp. 103-111

Author(s):

Felix Specht ◽

Jens Otto

Keyword(s):

Neural Network ◽

Neural Networks ◽

Condition Monitoring ◽

Deep Neural Network ◽

Deep Neural Networks ◽

Production Systems ◽

Monitoring Systems ◽

Condition Monitoring Systems ◽

Adversarial Examples ◽

Adversarial Example

AbstractCondition monitoring systems based on deep neural networks are used for system failure detection in cyber-physical production systems. However, deep neural networks are vulnerable to attacks with adversarial examples. Adversarial examples are manipulated inputs, e.g. sensor signals, are able to mislead a deep neural network into misclassification. A consequence of such an attack may be the manipulation of the physical production process of a cyber-physical production system without being recognized by the condition monitoring system. This can result in a serious threat for production systems and employees. This work introduces an approach named CyberProtect to prevent misclassification caused by adversarial example attacks. The approach generates adversarial examples for retraining a deep neural network which results in a hardened variant of the deep neural network. The hardened deep neural network sustains a significant better classification rate (82% compared to 20%) while under attack with adversarial examples, as shown by empirical results.

On Computer Memory Saving Methods in Performing Data Classification Using Fully Connected Neural Networks

Vestnik MEI ◽

10.24160/1993-6982-2021-3-103-109 ◽

2021 ◽

Vol 3 (3) ◽

pp. 103-109

Author(s):

Andrey I. Mamontov ◽

Keyword(s):

Neural Network ◽

Neural Networks ◽

Computing System ◽

Classification Problem ◽

Double Precision ◽

Data Set ◽

The Neural Network ◽

Study Results ◽

System Memory ◽

Fully Connected

In solving the classification problem, a fully connected trainable neural network (with adjusting the parameters represented by double-precision real numbers) is used as a mathematical model. After the training is completed, the neural network parameters are rounded and represented as fixed-point numbers (integers). The aim of the study is to reduce the required amount of the computing system memory for storing the obtained integer parameters. To reduce the amount of memory, the following methods for storing integer parameters are developed, which are based on representing the linear polynomials included in a fully connected neural network using compositions of simpler functions: - a method based on representing the considered polynomial as a sum of simpler polynomials; - a method based on separately storing the information about additions and multiplications. In the experiment with the MNIST data set, it took 1.41 MB to store real parameters of a fully connected neural network, 0.7 MB to store integer parameters without using the proposed methods, 0.47 MB in the RAM and 0.3 MB in compressed form on the disk when using the first method, and 0.25 MB on the disk when using the second method. In the experiment with the USPS data set, it took 0.25 MB to store real parameters of a fully connected neural network, 0.1 MB to store integer parameters without using the proposed methods, 0.05 MB in the RAM and approximately the same amount in compressed form on the disk when using the first method, and 0.03 MB on the disk when using the second method. The study results can be applied in using fully connected neural networks to solve various recognition problems under the conditions of limited hardware capacities.

SCORING MODELING BASED ON NEURAL NETWORKS FOR DETERMINING A BANK BORROWER'S RATING

Economy of Ukraine ◽

10.15407/economyukr.2020.10.054 ◽

2020 ◽

Vol 2020 (10) ◽

pp. 54-62

Author(s):

Oleksii VASYLIEV ◽

Keyword(s):

Neural Network ◽

Neural Networks ◽

Network Architecture ◽

Statistical Data ◽

Activation Function ◽

Decision Making Process ◽

Neural Network Architecture ◽

Acceptable Accuracy ◽

The Neural Network ◽

Sigmoid Activation Function

The problem of applying neural networks to calculate ratings used in banking in the decision-making process on granting or not granting loans to borrowers is considered. The task is to determine the rating function of the borrower based on a set of statistical data on the effectiveness of loans provided by the bank. When constructing a regression model to calculate the rating function, it is necessary to know its general form. If so, the task is to calculate the parameters that are included in the expression for the rating function. In contrast to this approach, in the case of using neural networks, there is no need to specify the general form for the rating function. Instead, certain neural network architecture is chosen and parameters are calculated for it on the basis of statistical data. Importantly, the same neural network architecture can be used to process different sets of statistical data. The disadvantages of using neural networks include the need to calculate a large number of parameters. There is also no universal algorithm that would determine the optimal neural network architecture. As an example of the use of neural networks to determine the borrower's rating, a model system is considered, in which the borrower's rating is determined by a known non-analytical rating function. A neural network with two inner layers, which contain, respectively, three and two neurons and have a sigmoid activation function, is used for modeling. It is shown that the use of the neural network allows restoring the borrower's rating function with quite acceptable accuracy.

Discretization and machine learning approximation of BSDEs with a constraint on the Gains-process

Monte Carlo Methods and Applications ◽

10.1515/mcma-2020-2080 ◽

2021 ◽

Vol 0 (0) ◽

Author(s):

Idris Kharroubi ◽

Thomas Lim ◽

Xavier Warin

Keyword(s):

Neural Network ◽

Machine Learning ◽

Neural Networks ◽

Differential Equations ◽

Numerical Experiments ◽

Optimization Problem ◽

Learning Approach ◽

The Neural Network ◽

Machine Learning Approach ◽

Mesh Grid

AbstractWe study the approximation of backward stochastic differential equations (BSDEs for short) with a constraint on the gains process. We first discretize the constraint by applying a so-called facelift operator at times of a grid. We show that this discretely constrained BSDE converges to the continuously constrained one as the mesh grid converges to zero. We then focus on the approximation of the discretely constrained BSDE. For that we adopt a machine learning approach. We show that the facelift can be approximated by an optimization problem over a class of neural networks under constraints on the neural network and its derivative. We then derive an algorithm converging to the discretely constrained BSDE as the number of neurons goes to infinity. We end by numerical experiments.

Application of neural networks in predictions of brake wear particulate matter emission

Proceedings of the Institution of Mechanical Engineers Part D Journal of Automobile Engineering ◽

10.1177/09544070211036321 ◽

2021 ◽

pp. 095440702110363

Author(s):

Saša Vasiljević ◽

Jasna Glišović ◽

Nadica Stojanović ◽

Ivan Grujić

Keyword(s):

Neural Network ◽

Neural Networks ◽

Particulate Matter ◽

Traffic Control ◽

World Health ◽

Vehicle Speed ◽

System Pressure ◽

The Neural Network ◽

Vehicle Systems ◽

Brake Wear

According to the World Health Organization, air pollution with PM10 and PM2.5 (PM-particulate matter) is a significant problem that can have serious consequences for human health. Vehicles, as one of the main sources of PM10 and PM2.5 emissions, pollute the air and the environment both by creating particles by burning fuel in the engine, and by wearing of various elements in some vehicle systems. In this paper, the authors conducted the prediction of the formation of PM10 and PM2.5 particles generated by the wear of the braking system using a neural network (Artificial Neural Networks (ANN)). In this case, the neural network model was created based on the generated particles that were measured experimentally, while the validity of the created neural network was checked by means of a comparative analysis of the experimentally measured amount of particles and the prediction results. The experimental results were obtained by testing on an inertial braking dynamometer, where braking was performed in several modes, that is under different braking parameters (simulated vehicle speed, brake system pressure, temperature, braking time, braking torque). During braking, the concentration of PM10 and PM2.5 particles was measured simultaneously. The total of 196 measurements were performed and these data were used for training, validation, and verification of the neural network. When it comes to simulation, a comparison of two types of neural networks was performed with one output and with two outputs. For each type, network training was conducted using three different algorithms of backpropagation methods. For each neural network, a comparison of the obtained experimental and simulation results was performed. More accurate prediction results were obtained by the single-output neural network for both particulate sizes, while the smallest error was found in the case of a trained neural network using the Levenberg-Marquardt backward propagation algorithm. The aim of creating such a prediction model is to prove that by using neural networks it is possible to predict the emission of particles generated by brake wear, which can be further used for modern traffic systems such as traffic control. In addition, this wear algorithm could be applied on other vehicle systems, such as a clutch or tires.

Real-Time Adversarial Attack Detection with Deep Image Prior Initialized as a High-Level Representation Based Blurring Network

Electronics ◽

10.3390/electronics10010052 ◽

2020 ◽

Vol 10 (1) ◽

pp. 52

Author(s):

Richard Evan Sutanto ◽

Sukho Lee

Keyword(s):

Neural Network ◽

Attack Detection ◽

Detection Methods ◽

Defense System ◽

Image Prior ◽

The Neural Network ◽

Adversarial Examples ◽

Deep Image ◽

Adversarial Attack ◽

High Level

Several recent studies have shown that artificial intelligence (AI) systems can malfunction due to intentionally manipulated data coming through normal channels. Such kinds of manipulated data are called adversarial examples. Adversarial examples can pose a major threat to an AI-led society when an attacker uses them as means to attack an AI system, which is called an adversarial attack. Therefore, major IT companies such as Google are now studying ways to build AI systems which are robust against adversarial attacks by developing effective defense methods. However, one of the reasons why it is difficult to establish an effective defense system is due to the fact that it is difficult to know in advance what kind of adversarial attack method the opponent is using. Therefore, in this paper, we propose a method to detect the adversarial noise without knowledge of the kind of adversarial noise used by the attacker. For this end, we propose a blurring network that is trained only with normal images and also use it as an initial condition of the Deep Image Prior (DIP) network. This is in contrast to other neural network based detection methods, which require the use of many adversarial noisy images for the training of the neural network. Experimental results indicate the validity of the proposed method.