1. Introduction
Artificial neural networks offer a collection of benefits which have proved useful in image processing, especially in tasks including artificial-intelligence-based computer aided detection [
1]. The progress of the last decade allowed to push the results obtained by artificial neural networks to levels surpassing human performance, in select tasks [
2]. In computer vision, deep neural networks became the go-to solution for a wide variety of problems [
3], capable of producing an impressive result in a sensible time frame [
4]. Recently, artificial neural networks found success in person reidentification [
5,
6,
7].
In general, reidentification (reID) refers to the process of re-attaching publicly available data to an anonymised record in order to discover the identity of an individual. In the context of computer vision, the phrase refers to the ability of an image recognition system to spot an individual across different cameras, and different angles [
7]. ReID is a challenging task which stirred up a significant amount of research recently, particularly due to the significant benefits it could bring for public safety [
7]. The use in the context of intelligent surveillance systems forces the consideration of adversarial behaviour against the artificial intelligence (AI) technologies used for reID. In a real-world scenario, impressive detection metrics are not the only thing that matters [
8]. The current trend in reID involves the use of deep neural networks, which have been proven to be susceptible to a novel kind of attacks [
9,
10,
11,
12].
Deep neural networks, particularly convolutional neural networks (CNN), are widely used for the CV tasks [
13]; some of the best-performing ImageNet contest architectures were based on the premise of utilising convolutional layers. The network architectures tend to be very deep: Inception features over 6 million trainable parameters [
14,
15], ResNet18 (Residual neural network) over 11 million [
16], AlexNet over 60 million [
17], VGG16 (Visual Geometry Group) over 138 million [
18], etc. Therefore, training a top-tier deep neural network is a huge computational endeavour [
19]. In order not to repeat this effort for each task, transfer learning can be employed [
20]. Transfer learning leverages pre-trained networks, essentially using them as feature extractors with frozen weights, feeding samples to the network and only training the added dense layers at the output end of the topology. However, the use of openly-available, pre-trained networks poses a security problem in an adversarial setting, as it raises the capability of the attacker [
21,
22].
The idea of attacking deep neural networks has focused the attention of the deep learning community over the last few years [
23,
24,
25]. A range of adversarial attacks effective against AI were discovered, uncovering the vulnerabilities of data driven technologies [
25]. In this work, the attacks performed at test-time are considered, which are known as evasion attacks [
26,
27].
The goal of an Evasion attack is to force the AI-based system to misclassify a particular sample. This is achieved by adding a specifically crafted noise to the tested sample. This added noise, in case of images, is imperceptible to humans, but leverages the ’intriguing properties of neural networks’ to fool the AI algorithm [
28]. The issue of defending against those attacks is a fierce arms race and the satisfactory defence has not yet emerged [
29].
The algorithms and technologies presented in this paper were used to form a submission to the reidentification defences track of the H2020 SPARTA SAFAIR contest. The task was formulated around the CelebA face recognition dataset [
30,
31]. The dataset, as used in the task, featured 5304 classes, with 85,612 samples in the training subset and 28,523 samples in the testing set. The objective of the defensive track was to propose ways of preventing adversarial samples from lowering the accuracy of the face recognition model. The following sections describe the specific technologies used for defining the submission of the contest, the rationale behind those choices, the formulated defences, and provide the results of the experiments.
As such, the research and, thus, the paper is conducted and formulated to answer the following research question:
RQ1 Is it possible to use data preprocessing methods to robustify an ANN-based classifier against adversarial evasion attack in computer vision (CV)?
RQ2 Does using all the identified defensive preprocessing methods provide a better protection than using just a selection of those?
Thus, the innovative contribution of this paper comes in the formulation and evaluation of a plug-and-play preprocessing pipeline for robustification of already-existing or pre-trained CV classifiers, easily deployable in a real-world situation and saving on the cost of re-training the classifier
The paper is structured as follows: In
Section 2, the related works are introduced and the most important categories of defences are described.
Section 3 lists the setup of the used reidentification pipeline, showcases the effects of the adversarial attacks and introduces the specific defences, including the block-matching convolutional neural network (BMCNN) for image denoising, which, to the best of our knowledge, has never before been used to counter adversarial attacks.
Section 4 contains the experimental setups and the results obtained by specific pipelines.
Section 5 encompasses the conclusions along with the impact the defensive pipeline has over a clean dataset.
2. Related Works
The advent of adversarial perturbations revealed the vulnerabilities of contemporary AI-based technologies. There is a considerable body of research into both the attacks and the defences. However, as noted by [
32], the construction of a theoretical model of crafting adversarial perturbations is problematic, as it is a sophisticated optimisation procedure for most machine learning models. This absence of a theoretical baseline makes it troublesome to verify whether administering a certain defence can proof a system against a certain set of attacks. This situation finds its expression in the fact that whenever a new defence is proposed, a new attack capable of breaking through that defence appears [
33,
34,
35,
36,
37,
38].
Against this canvas, the authors of [
38] propose a set of guidelines for research into the defensive mechanisms against adversarial attacks, listing common pitfalls and a range of best practices. There is a substantial body of work gathering both the available attacks and possible defences geared towards machine and deep learning [
27,
29,
32,
39,
40,
41,
42] and even specifically deep learning in computer vision [
23,
43,
44].
A thorough analysis of the sources allows one to roughly divide the adversarial defences into these categories:
Gradient masking;
Input reconstruction;
Detectors.
According to [
29], the category of gradient masking encompasses defences which fit either intentionally or unintentionally. This category of defences relies on making the gradient unfit for the operation of the attack algorithms. Some defences do not aim at gradient masking specifically, but achieve it as a by-product of defensive procedures. One of the most popular approaches, adversarial training, frequently has a gradient masking effect, even though it is not the goal of the process.
Adversarial (re)training is considered as the brute-force approach [
32]. The procedure relies on crafting adversarial samples and including them in the training set. The problem with retraining the whole classifier is the computational cost of such course of conduct. This problem will be touched upon later in this paper.
The defences in the input reconstruction category perform various forms of input pre-processing. Although it might be possible to circumvent those methods in a scenario where the attacker has full knowledge of the system, in a real-world setting the defences from this category can be very effective, and computationally much cheaper in use than retraining. The detection approaches are effective as long as the adversary is not aware of the existence of the detector. For an attacker of sufficient capability it is possible to build an adversarial sample which, at the same time, circumvents the detector and fools the classifier, as proven by [
33].
4. Results
The low computational cost of the preprocessors in comparison with re-training the classifier allows to mix and match the defences. The experiments show that some pipelines are more effective than others. An example of a defensive pipeline which utilises all the researched defences is displayed in
Figure 6.
The pipeline makes intuitive sense, as blurring the image should remove some of the artefacts added by PGD, same for JPEG compression, then adding Gaussian noise and removing it with BMCNN denoising has the potential of removing both the Gaussian and the adversarial noise at the same time. The results of this particular pipeline are shown in
Table 6.
As showcased by the results of the experiment in
Table 6, the mix of defences improved the detection metrics as compared to the undefended model; however it did not perform as well as, for example, BMCNN denoising alone (
Table 5). For the next experiment, the total variance minimisation preprocessor was removed, as it has a similar filtering effect as localised spatial smoothing. The pipeline is shown in
Figure 7. The results of the experiment are contained in
Table 7.
To find the optimal mix of preprocessors that would minimise or eliminate the effect of adversarial perturbations without significantly deteriorating the classifier results, a range of experiments was performed. The results of some of those tests are contained in
Table 8 and
Table 9. To assess the results of the preprocessing defences, the best performing preprocessing pipeline was tested on a clean, unperturbed set. The results of this experiment can be found in
Table 10. The best performing pipeline is illustrated in
Figure 8.