Abstract
Low-rank matrix decomposition with first-order total variation (TV) regularization exhibits excellent performance in exploration of image structure. Taking advantage of its excellent performance in image denoising, we apply it to improve the robustness of deep neural networks. However, although TV regularization can improve the robustness of the model, it reduces the accuracy of normal samples due to its over-smoothing. In our work, we develop a new low-rank matrix recovery model, called LRTGV, which incorporates total generalized variation (TGV) regularization into the reweighted low-rank matrix recovery model. In the proposed model, TGV is used to better reconstruct texture information without over-smoothing. The reweighted nuclear norm and L1-norm can enhance the global structure information. Thus, the proposed LRTGV can destroy the structure of adversarial noise while re-enhancing the global structure and local texture of the image. To solve the challenging optimal model issue, we propose an algorithm based on the alternating direction method of multipliers. Experimental results show that the proposed algorithm has a certain defense capability against black-box attacks, and outperforms state-of-the-art low-rank matrix recovery methods in image restoration.
摘要
一阶全变分(TV)正则化的低秩矩阵分解在恢复图像结构上表现出优异性能。利用全变分在图像去噪方面的优异性能,提高深度神经网络鲁棒性。然而,尽管一阶全变分正则化可以提高模型鲁棒性,但其过度平滑降低了干净样本的准确率。本文提出一种新的低秩矩阵恢复模型,称为LRTGV,该模型将广义全变分(TGV)正则化引入到重加权低秩矩阵恢复模型。在所构建的模型中,TGV可以在不过度平滑的情况下更好地重建图像纹理信息。重加权核范数和L1范数可以增强全局结构信息。因此,本文所提出的LRTGV模型在破坏对抗噪声结构的同时能增强图像全局结构和局部纹理信息。为解决具有挑战性的最优模型问题,本文提出一种基于交替方向乘子法的算法。实验结果表明,该算法对黑盒攻击具有一定防御能力,并且在图像恢复方面优于现有低秩矩阵恢复方法。
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request.
References
Bredies K, Kunisch K, Pock T, 2010. Total generalized variation. SIAM J Imag Sci, 3(3):492–526. https://doi.org/10.1137/090769521
Buckman J, Roy A, Raffel C, et al., 2018. Thermometer encoding: one hot way to resist adversarial examples. 6th Int Conf on Learning Representations.
Candès EJ, Wakin MB, Boyd SP, 2008. Enhancing sparsity by reweighted l1 minimization. J Fourier Anal Appl, 14(5–6):877–905. https://doi.org/10.1007/s00041-008-9045-x
Candès EJ, Li XD, Ma Y, et al., 2011. Robust principal component analysis? J ACM, 58(3):11. https://doi.org/10.1145/1970392.1970395
Cao FL, Cai MM, Tan YP, 2015. Image interpolation via low-rank matrix completion and recovery. IEEE Trans Circ Syst Video Technol, 25(8):1261–1270. https://doi.org/10.1109/TCSVT.2014.2372351
Carlini N, Wagner D, 2017. Towards evaluating the robustness of neural networks. IEEE Symp on Security and Privacy, p.39-57. https://doi.org/10.1109/SP.2017.49
Deng Y, Dai QH, Liu RS, et al., 2013. Low-rank structure learning via nonconvex heuristic recovery. IEEE Trans Neur Netw Learn Syst, 24(3):383–396. https://doi.org/10.1109/TNNLS.2012.2235082
Dong WS, Zhang L, Shi GM, et al., 2013. Nonlocally centralized sparse representation for image restoration. IEEE Trans Image Process, 22(4):1620–1630. https://doi.org/10.1109/TIP.2012.2235847
Dong XY, Han JF, Chen DD, et al., 2020. Robust superpixel-guided attentional adversarial attack. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.12892-12901. https://doi.org/10.1109/CVPR42600.2020.01291
Dong YP, Liao FZ, Pang TY, et al., 2018. Boosting adversarial attacks with momentum. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.9185-9193. https://doi.org/10.1109/CVPR.2018.00957
Efros AA, Freeman WT, 2001. Image quilting for texture synthesis and transfer. Proc 28th Annual Conf on Computer Graphics and Interactive Techniques, p.341-346. https://doi.org/10.1145/383259.383296
Goodfellow IJ, Shlens J, Szegedy C, 2015. Explaining and harnessing adversarial examples. https://arxiv.org/abs/1412.6572
Gu SH, Xie Q, Meng DY, et al., 2017. Weighted nuclear norm minimization and its applications to low level vision. Int J Comput Vis, 121(2):183–208. https://doi.org/10.1007/s11263-016-0930-5
Guo C, Rana M, Cisse M, et al., 2018. Countering adversarial images using input transformations. https://arxiv.org/abs/1711.00117
Guo WH, Qin J, Yin WT, 2014. A new detail-preserving regularization scheme. SIAM J Imag Sci, 7(2):1309–1334. https://doi.org/10.1137/120904263
Guo XJ, Lin ZC, 2018. Low-rank matrix recovery via robust outlier estimation. IEEE Trans Image Process, 27(11):5316–5327. https://doi.org/10.1109/TIP.2018.2855421
Jing PG, Su YT, Nie LQ, et al., 2019. A framework of joint low-rank and sparse regression for image memorability prediction. IEEE Trans Circ Syst Video Technol, 29(5):1296–1309. https://doi.org/10.1109/TCSVT.2018.2832095
Moosavi-Dezfooli SM, Fawzi A, Frossard P, 2016. DeepFool: a simple and accurate method to fool deep neural networks. IEEE Conf on Computer Vision and Pattern Recognition, p.2574-2582. https://doi.org/10.1109/CVPR.2016.282
Mustafa A, Khan SH, Hayat M, et al., 2020. Image super-resolution as a defense against adversarial attacks. IEEE Trans Image Process, 29:1711–1724. https://doi.org/10.1109/TIP.2019.2940533
Papafitsoros K, Schönlieb CB, 2014. A combined first and second order variational approach for image reconstruction. J Math Imag Vis, 48(2):308–338. https://doi.org/10.1007/s10851-013-0445-4
Peng YG, Suo JL, Dai QH, et al., 2014. Reweighted low-rank matrix recovery and its application in image restoration. IEEE Trans Cybern, 44(12):2418–2430. https://doi.org/10.1109/TCYB.2014.2307854
Song Y, Kim T, Nowozin S, et al., 2018. PixelDefend: leveraging generative models to understand and defend against adversarial examples. https://arxiv.org/abs/1710.10766
Tabacof P, Valle E, 2016. Exploring the space of adversarial images. Int Joint Conf on Neural Networks, p.426-433. https://doi.org/10.1109/IJCNN.2016.7727230
Wang HY, Cen YG, He ZQ, et al., 2018. Reweighted low-rank matrix analysis with structural smoothness for image denoising. IEEE Trans Image Process, 27(4):1777–1792. https://doi.org/10.1109/TIP.2017.2781425
Wang Q, Wu ZJ, Jin J, et al., 2018. Low rank constraint and spatial spectral total variation for hyperspectral image mixed denoising. Signal Process, 142:11–26. https://doi.org/10.1016/j.sigpro.2017.06.012
Wang YL, Wu KL, Zhang CS, 2020. Adversarial attacks on deep unfolded networks for sparse coding. IEEE Int Conf on Acoustics, Speech and Signal Processing, p.5974-5978. https://doi.org/10.1109/ICASSP40776.2020.9054671
Wen JM, Li DF, Zhu FM, 2015. Stable recovery of sparse signals via lp-minimization. Appl Comput Harmon Anal, 38(1):161–176. https://doi.org/10.1016/j.acha.2014.06.003
Wu HC, Xiao L, Lian ZC, et al., 2019. Locally low-rank regularized video stabilization with motion diversity constraints. IEEE Trans Circ Syst Video Technol, 29(10):2873–2887. https://doi.org/10.1109/TCSVT.2018.2875671
Xie CH, Zhang ZS, Zhou YY, et al., 2019. Improving transferability of adversarial examples with input diversity. IEEE/CVF Conf on Computer Vision and Pattern Recognition, p.2725-2734. https://doi.org/10.1109/CVPR.2019.00284
Xie T, Li ST, Sun B, 2020. Hyperspectral images denoising via nonconvex regularized low-rank and sparse matrix decomposition. IEEE Trans Image Process, 29:44–56. https://doi.org/10.1109/TIP.2019.2926736
Xu J, Li YM, Jiang Y, et al., 2020. Adversarial defense via local flatness regularization. IEEE Int Conf on Image Processing, p.2196-2200. https://doi.org/10.1109/ICIP40778.2020.9191346
Xu WL, Evans D, Qi YJ, 2017. Feature squeezing: detecting adversarial examples in deep neural networks. https://arxiv.org/abs/1704.01155
Yang S, Luo B, Li CL, et al., 2018. Fast grayscale-thermal foreground detection with collaborative low-rank decomposition. IEEE Trans Circ Syst Video Technol, 28(10):2574–2585. https://doi.org/10.1109/TCSVT.2017.2721460
Yuan XY, He P, Zhu QL, et al., 2019. Adversarial examples: attacks and defenses for deep learning. IEEE Trans Neur Netw Learn Syst, 30(9):2805–2824. https://doi.org/10.1109/TNNLS.2018.2886017
Zhan SH, Wu JG, Han N, et al., 2020. Group low-rank representation-based discriminant linear regression. IEEE Trans Circ Syst Video Technol, 30(3):760–770. https://doi.org/10.1109/TCSVT.2019.2897072
Zhang YC, Li HR, Zheng Y, et al., 2021. Enhanced DNNs for malware classification with GAN-based adversarial training. J Comput Virol Hack Tech, 17(2):153–163. https://doi.org/10.1007/S11416-021-00378-Y
Zhao ZQ, Wang HY, Sun H, et al., 2021. Removing adversarial noise via low-rank completion of high-sensitivity points. IEEE Trans Image Process, 30:6485–6497. https://doi.org/10.1109/TIP.2021.3086596
Author information
Authors and Affiliations
Contributions
All the authors designed the research. Wen LI and Hengyou WANG proposed the main idea. Wen LI performed the experiments and drafted the paper. Lianzhi HUO, Qiang HE, and Linlin CHEN helped organize the paper. Hengyou WANG, Zhiquan HE, and Wing W. Y. Ng revised and finalized the paper.
Corresponding author
Ethics declarations
All the authors declare that they have no conflict of interest.
Additional information
Project supported by the National Natural Science Foundation of China (No. 62072024), the Outstanding Youth Program of Beijing University of Civil Engineering and Architecture, China (No. JDJQ20220805), and the Shenzhen Stability Support General Project (Type A), China (No. 20200826104014001)
Rights and permissions
About this article
Cite this article
Li, W., Wang, H., Huo, L. et al. Low-rank matrix recovery with total generalized variation for defending adversarial examples. Front Inform Technol Electron Eng 25, 432–445 (2024). https://doi.org/10.1631/FITEE.2300017
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/FITEE.2300017
Key words
- Total generalized variation
- Low-rank matrix
- Alternating direction method of multipliers
- Adversarial example