{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T17:46:56Z","timestamp":1773856016614,"version":"3.50.1"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"7","license":[{"start":{"date-parts":[[2020,11,21]],"date-time":"2020-11-21T00:00:00Z","timestamp":1605916800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,11,21]],"date-time":"2020-11-21T00:00:00Z","timestamp":1605916800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100003725","name":"National Research Foundation of Korea","doi-asserted-by":"publisher","award":["2016R1A4A1011761"],"award-info":[{"award-number":["2016R1A4A1011761"]}],"id":[{"id":"10.13039\/501100003725","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100010418","name":"Institute for Information and Communications Technology Promotion","doi-asserted-by":"publisher","award":["2016-0-00173"],"award-info":[{"award-number":["2016-0-00173"]}],"id":[{"id":"10.13039\/501100010418","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Multimed Tools Appl"],"published-print":{"date-parts":[[2021,3]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Deep neural networks (DNNs) provide superior performance on machine learning tasks such as image recognition, speech recognition, pattern analysis, and intrusion detection. However, an adversarial example, created by adding a little noise to an original sample, can cause misclassification by a DNN. This is a serious threat to the DNN because the added noise is not detected by the human eye. For example, if an attacker modifies a right-turn sign so that it misleads to the left, autonomous vehicles with the DNN will incorrectly classify the modified sign as pointing to the left, but a person will correctly classify the modified sign as pointing to the right. Studies are under way to defend against such adversarial examples. The existing method of defense against adversarial examples requires an additional process such as changing the classifier or modifying input data. In this paper, we propose a new method for detecting adversarial examples that does not invoke any additional process. The proposed scheme can detect adversarial examples by using a pattern feature of the classification scores of adversarial examples. We used MNIST and CIFAR10 as experimental datasets and Tensorflow as a machine learning library. The experimental results show that the proposed method can detect adversarial examples with success rates: 99.05% and 99.9% for the untargeted and targeted cases in MNIST, respectively, and 94.7% and 95.8% for the untargeted and targeted cases in CIFAR10, respectively.<\/jats:p>","DOI":"10.1007\/s11042-020-09167-z","type":"journal-article","created":{"date-parts":[[2020,11,21]],"date-time":"2020-11-21T15:02:47Z","timestamp":1605970967000},"page":"10339-10360","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":26,"title":["Classification score approach for detecting adversarial example in deep neural network"],"prefix":"10.1007","volume":"80","author":[{"given":"Hyun","family":"Kwon","sequence":"first","affiliation":[]},{"given":"Yongchul","family":"Kim","sequence":"additional","affiliation":[]},{"given":"Hyunsoo","family":"Yoon","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1438-0265","authenticated-orcid":false,"given":"Daeseon","family":"Choi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,11,21]]},"reference":[{"key":"9167_CR1","unstructured":"Abadi M, Barham P, Chen J, Chen Z, Davis A, Dean J, Devin M, Ghemawat S, Irving G, Isard M et al (2016) Tensorflow: A system for large-scale machine learning in OSDI, vol 16"},{"key":"9167_CR2","doi-asserted-by":"crossref","unstructured":"Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: Security and Privacy SP, 2017 IEEE Symposium on, pp. 39\u201357 IEEE","DOI":"10.1109\/SP.2017.49"},{"key":"9167_CR3","unstructured":"Carlini N, Wagner D (2017). arXiv:1705.07263"},{"key":"9167_CR4","doi-asserted-by":"crossref","unstructured":"Collobert R, Weston J (2008) A unified architecture for natural language processing: Deep neural networks with multitask learning. In: Proceedings of the 25th international conference on Machine learning pp. 160\u2013167 ACM","DOI":"10.1145\/1390156.1390177"},{"key":"9167_CR5","unstructured":"Deng J, Dong W, Socher R, Li L.-J., Li K, Fei-Fei L (2009) Imagenet: A large-scale hierarchical image database. In: Computer Vision and Pattern Recognition, 2009. CVPR 2009. IEEE Conference on, pp. 248\u2013255 IEEE"},{"key":"9167_CR6","first-page":"1","volume":"107","author":"A Fawzi","year":"2015","unstructured":"Fawzi A, Fawzi O, Frossard P (2015) Analysis of classifiers\u2019 robustness to aversarial perturbations. Mach Learn 107:1\u201328","journal-title":"Mach Learn"},{"key":"9167_CR7","unstructured":"Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) Generative adversarial nets. In: Advances in neural information processing systems, pp 2672\u20132680"},{"key":"9167_CR8","unstructured":"Goodfellow I, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: International Conference on Learning Representations"},{"key":"9167_CR9","doi-asserted-by":"crossref","unstructured":"He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Inproceedings of the IEEE conference on computer vision and pattern recognition, pp 770\u2013778","DOI":"10.1109\/CVPR.2016.90"},{"issue":"6","key":"9167_CR10","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1109\/MSP.2012.2205597","volume":"29","author":"G Hinton","year":"2012","unstructured":"Hinton G, Deng L, Yu D, Dahl GE, Mohamed A-R, Jaitly N, Senior A, Vanhoucke V, Nguyen P, Sainath TN et al (2012) Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups. IEEE Signal Proc Mag 29(6):82\u201397","journal-title":"IEEE Signal Proc Mag"},{"issue":"11","key":"9167_CR11","doi-asserted-by":"publisher","first-page":"2059","DOI":"10.1109\/TMM.2015.2478068","volume":"17","author":"C Kereliuk","year":"2015","unstructured":"Kereliuk C, Sturm BL, Larsen J (2015) Deep learning and music adversaries. IEEE Transactions on Multimedia 17(11):2059\u20132071","journal-title":"IEEE Transactions on Multimedia"},{"key":"9167_CR12","unstructured":"Krizhevsky A, Nair V, Hinton G (2014) The cifar-10 dataset. online: http:\/\/www.cs.toronto.edu\/kriz\/cifar.html"},{"key":"9167_CR13","doi-asserted-by":"crossref","unstructured":"Kurakin A, Goodfellow I, Bengio S (2017) Adversarial examples in the physical world. ICLR Workshop","DOI":"10.1201\/9781351251389-8"},{"key":"9167_CR14","unstructured":"LeCun Y, Cortes C, Burges CJ (2010) Mnist handwritten digit database, AT&T Labs [Online]. Available: http:\/\/yannlecun.com\/exdb\/mnist, vol 2"},{"issue":"11","key":"9167_CR15","doi-asserted-by":"publisher","first-page":"2278","DOI":"10.1109\/5.726791","volume":"86","author":"Y LeCun","year":"1998","unstructured":"LeCun Y, Bottou L, Bengio Y, Haffner P (1998) Gradient-based learning applied to document recognition. Proc IEEE 86(11):2278\u20132324","journal-title":"Proc IEEE"},{"key":"9167_CR16","unstructured":"Liu Y, Chen X, Liu C, Song D (2017) Delving into transferable adversarial examples and black-box attacks"},{"key":"9167_CR17","doi-asserted-by":"crossref","unstructured":"Meng D, Chen H (2017) Magnet: a two-pronged defense against adversarial examples. In: proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135\u2013147 ACM","DOI":"10.1145\/3133956.3134057"},{"key":"9167_CR18","unstructured":"Moosavi-Dezfooli S-M., Fawzi A, Frossard P (2016). In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp 2574\u20132582"},{"key":"9167_CR19","doi-asserted-by":"crossref","unstructured":"Narodytska N, Kasiviswanathan S (2017) Simple black-box adversarial attacks on deep neural networks. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition Workshops CVPRW, pp. 1310\u20131318 IEEE","DOI":"10.1109\/CVPRW.2017.172"},{"key":"9167_CR20","doi-asserted-by":"crossref","unstructured":"Oliveira GL, Valada A, Bollen C, Burgard W, Brox T (2016) Deep learning for human part discovery in images. In: Robotics and Automation ICRA, 2016 IEEE International Conference on, pp. 1634\u20131641 IEEE","DOI":"10.1109\/ICRA.2016.7487304"},{"key":"9167_CR21","doi-asserted-by":"crossref","unstructured":"Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pp. 372\u2013387 IEEE","DOI":"10.1109\/EuroSP.2016.36"},{"key":"9167_CR22","doi-asserted-by":"crossref","unstructured":"Papernot N, McDaniel P, Wu X, Jha S, Swami A (2016) Distillation as a defense to adversarial perturbations against deep neural networks","DOI":"10.1109\/SP.2016.41"},{"key":"9167_CR23","doi-asserted-by":"crossref","unstructured":"Parkhi OM, Vedaldi A, Zisserman A, et al. (2015) Deep face recognition in bmvc, vol 1","DOI":"10.5244\/C.29.41"},{"key":"9167_CR24","doi-asserted-by":"crossref","unstructured":"Potluri S, Diedrich C (2016) Accelerated deep neural networks for enhanced intrusion detection system. In: Emerging Technologies and Factory Automation ETFA, 2016 IEEE 21st International Conference on, pp. 1\u20138 IEEE","DOI":"10.1109\/ETFA.2016.7733515"},{"key":"9167_CR25","unstructured":"Rozsa A, G\u00fcnther M., Rudd EM, Boult TE (2017) Facial attributes: Accuracy and adversarial robustness, Pattern Recognition Letters"},{"key":"9167_CR26","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1016\/j.neunet.2014.09.003","volume":"61","author":"J Schmidhuber","year":"2015","unstructured":"Schmidhuber J (2015) Deep learning in neural networks: an overview. Neural networks 61:85\u2013117","journal-title":"Neural networks"},{"key":"9167_CR27","unstructured":"Shen S, Jin G, Gao K, Zhang Y (2017) Ape-gan: Adversarial perturbation elimination with gan ICLR Submission available on OpenReview"},{"key":"9167_CR28","unstructured":"Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: International Conference on Learning Representations"},{"key":"9167_CR29","unstructured":"Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2014) Intriguing properties of neural networks. In: International Conference on Learning Representations"},{"key":"9167_CR30","unstructured":"Tram\u00e8r F., Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2018) Ensemble adversarial training: Attacks and defenses. In: International Conference on Learning Representations ICLR"},{"key":"9167_CR31","unstructured":"Tram\u00e8r F., Papernot N, Goodfellow I, Boneh D, McDaniel P (2017) The space of transferable adversarial examples. arXiv:1704.03453"},{"key":"9167_CR32","doi-asserted-by":"crossref","unstructured":"Xu W, Evans D, Qi Y (2018) Feature squeezing: Detecting adversarial examples in deep neural networks","DOI":"10.14722\/ndss.2018.23198"},{"issue":"3","key":"9167_CR33","doi-asserted-by":"publisher","first-page":"766","DOI":"10.1109\/TCYB.2015.2415032","volume":"46","author":"F Zhang","year":"2016","unstructured":"Zhang F, Chan PP, Biggio B, Yeung DS, Roli F (2016) Adversarial feature selection against evasion attacks. IEEE transactions on cybernetics 46(3):766\u2013777","journal-title":"IEEE transactions on cybernetics"}],"container-title":["Multimedia Tools and Applications"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11042-020-09167-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11042-020-09167-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11042-020-09167-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,3,26]],"date-time":"2021-03-26T00:04:29Z","timestamp":1616717069000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11042-020-09167-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,21]]},"references-count":33,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2021,3]]}},"alternative-id":["9167"],"URL":"https:\/\/doi.org\/10.1007\/s11042-020-09167-z","relation":{},"ISSN":["1380-7501","1573-7721"],"issn-type":[{"value":"1380-7501","type":"print"},{"value":"1573-7721","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,11,21]]},"assertion":[{"value":"17 April 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 January 2020","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"4 June 2020","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 November 2020","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}