{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T23:02:11Z","timestamp":1780095731023,"version":"3.54.0"},"reference-count":51,"publisher":"Association for Computing Machinery (ACM)","issue":"1s","license":[{"start":{"date-parts":[[2023,1,23]],"date-time":"2023-01-23T00:00:00Z","timestamp":1674432000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Commission under European Horizon 2020 Programme","award":["951911 - AI4Media"],"award-info":[{"award-number":["951911 - AI4Media"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Multimedia Comput. Commun. Appl."],"published-print":{"date-parts":[[2023,2,28]]},"abstract":"Modern image classification approaches often rely on deep neural networks, which have shown pronounced weakness to adversarial examples: images corrupted with specifically designed yet imperceptible noise that causes the network to misclassify. In this article, we propose a conceptually simple yet robust solution to tackle adversarial attacks on image classification. Our defense works by first applying a JPEG compression with a random quality factor; compression artifacts are subsequently removed by means of a generative model Artifact Restoration GAN. The process can be iterated ensuring the image is not degraded and hence the classification not compromised. We train different AR-GANs for different compression factors, so that we can change its parameters dynamically at each iteration depending on the current compression, making the gradient approximation difficult. We experiment with our defense against three white-box and two black-box attacks, with a particular focus on the state-of-the-art BPDA attack. Our method does not require any adversarial training, and is independent of both the classifier and the attack. Experiments demonstrate that dynamically changing the AR-GAN parameters is of fundamental importance to obtain significant robustness.<\/jats:p>","DOI":"10.1145\/3524619","type":"journal-article","created":{"date-parts":[[2022,3,17]],"date-time":"2022-03-17T13:36:53Z","timestamp":1647524213000},"page":"1-16","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["(Compress and Restore)\n N<\/sup>\n : A Robust Defense Against Adversarial Attacks on Image Classification"],"prefix":"10.1145","volume":"19","author":[{"given":"Claudio","family":"Ferrari","sequence":"first","affiliation":[{"name":"Department of Architecture and Engineering, University of Parma\/Departmentof Information Engineering, University of Florence, Parma, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Federico","family":"Becattini","sequence":"additional","affiliation":[{"name":"Department of Information Engineering, University of Florence, Firenze, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Leonardo","family":"Galteri","sequence":"additional","affiliation":[{"name":"Department of Information Engineering, University of Florence, Firenze, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alberto Del","family":"Bimbo","sequence":"additional","affiliation":[{"name":"Department of Information Engineering, University of Florence, Firenze, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,1,23]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW.2017.150"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2807385"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58592-1_29"},{"key":"e_1_3_2_5_2","unstructured":"Anish Athalye Nicholas Carlini and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning . PMLR."},{"key":"e_1_3_2_6_2","first-page":"284","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Athalye Anish","year":"2018","unstructured":"Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. 2018. Synthesizing robust adversarial examples. In Proceedings of the International Conference on Machine Learning. PMLR, 284\u2013293."},{"key":"e_1_3_2_7_2","unstructured":"Wieland Brendel Jonas Rauber and Matthias Bethge. 2017. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In International Conference on Learning Representations ."},{"key":"e_1_3_2_8_2","unstructured":"Nicholas Carlini Anish Athalye Nicolas Papernot Wieland Brendel Jonas Rauber Dimitris Tsipras Ian Goodfellow Aleksander Madry and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv:1902.06705. Retrieved from https:\/\/arxiv.org\/abs\/1902.06705."},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2017.7965927"},{"key":"e_1_3_2_11_2","unstructured":"Minhao Cheng Thong Le Pin-Yu Chen Jinfeng Yi Huan Zhang and Cho-Jui Hsieh. 2018. Query-efficient hard-label black-box attack: An optimization-based approach. In International Conference on Learning Representation (ICLR) ."},{"key":"e_1_3_2_12_2","unstructured":"Nilaksh Das Madhuri Shanbhogue Shang-Tse Chen Fred Hohman Li Chen Michael E. Kounavis and Duen Horng Chau. 2017. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv:1705.02900. Retrieved from https:\/\/arxiv.org\/abs\/1705.02900."},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3219819.3219910"},{"key":"e_1_3_2_14_2","unstructured":"Guneet S. Dhillon Kamyar Azizzadenesheli Zachary C. Lipton Jeremy Bernstein Jean Kossaifi Aran Khanna and Anima Anandkumar. 2018. Stochastic activation pruning for robust adversarial defense. In International Conference on Learning Representations ."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.73"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00040"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00444"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00790"},{"key":"e_1_3_2_20_2","unstructured":"Gintare Karolina Dziugaite Zoubin Ghahramani and Daniel M. Roy. 2016. A study of the effect of jpg compression on adversarial images. arXiv:1608.00853. Retrieved from https:\/\/arxiv.org\/abs\/1608.00853."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.517"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/TMM.2019.2895280"},{"key":"e_1_3_2_23_2","unstructured":"Ian J. Goodfellow Jonathon Shlens and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv:1412.6572. Retrieved from https:\/\/arxiv.org\/abs\/1412.6572."},{"key":"e_1_3_2_24_2","unstructured":"Chuan Guo Mayank Rana Moustapha Cisse and Laurens Van Der Maaten. 2017. Countering Adversarial Images Using Input Transformations. In International Conference on Learning Representations ."},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_26_2","unstructured":"Andrew G. Howard Menglong Zhu Bo Chen Dmitry Kalenichenko Weijun Wang Tobias Weyand Marco Andreetto and Hartwig Adam. 2017. Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv:1704.04861. Retrieved from https:\/\/arxiv.org\/abs\/1704.04861."},{"key":"e_1_3_2_27_2","unstructured":"Forrest Iandola Matt Moskewicz Sergey Karayev Ross Girshick Trevor Darrell and Kurt Keutzer. 2014. Densenet: Implementing efficient convnet descriptor pyramids. arXiv:1404.1869. Retrieved from https:\/\/arxiv.org\/abs\/1404.1869."},{"key":"e_1_3_2_28_2","unstructured":"Andrew Ilyas Logan Engstrom Anish Athalye and Jessy Lin. 2018. Black-box adversarial attacks with limited queries and information. In International Conference on Machine Learning . PMLR 2137\u20132146."},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00624"},{"key":"e_1_3_2_30_2","unstructured":"Diederik P. Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. In ICLR (Poster)."},{"key":"e_1_3_2_31_2","unstructured":"Alexey Kurakin Ian Goodfellow and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv:1607.02533. Retrieved from https:\/\/arxiv.org\/abs\/1607.02533."},{"key":"e_1_3_2_32_2","unstructured":"Yaxin Li Wei Jin Han Xu and Jiliang Tang. 2020. DeepRobust: A PyTorch library for adversarial attacks and defenses. arXiv:2005.06149. Retrieved from https:\/\/arxiv.org\/abs\/2005.06149."},{"key":"e_1_3_2_33_2","first-page":"3866","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Li Yandong","year":"2019","unstructured":"Yandong Li, Lijun Li, Liqiang Wang, Tong Zhang, and Boqing Gong. 2019. Nattack: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In Proceedings of the International Conference on Machine Learning. PMLR, 3866\u20133876."},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00191"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01234-2_23"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00095"},{"key":"e_1_3_2_37_2","unstructured":"Aleksander Madry Aleksandar Makelov Ludwig Schmidt Dimitris Tsipras and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations ."},{"key":"e_1_3_2_38_2","volume-title":"Proceedings of the International Conference on Learning Representations","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of the International Conference on Learning Representations."},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2019.2940533"},{"key":"e_1_3_2_41_2","unstructured":"Tianyu Pang Kun Xu Chao Du Ning Chen and Jun Zhu. 2019. Improving adversarial robustness via promoting ensemble diversity. In International Conference on Machine Learning . PMLR 4970\u20134979."},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00894"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_2_44_2","unstructured":"Pouya Samangouei Maya Kabkab and Rama Chellappa. 2018. Defense-gan: Protecting classifiers against adversarial attacks using generative models. In International Conference on Learning Representations ."},{"key":"e_1_3_2_45_2","unstructured":"Pavel Svoboda Michal Hradis David Barina and Pavel Zemcik. 2016. Compression artifacts removal using convolutional neural networks. arXiv:1605.00366. Retrieved from https:\/\/arxiv.org\/abs\/1605.00366."},{"key":"e_1_3_2_46_2","unstructured":"Christian Szegedy Wojciech Zaremba Ilya Sutskever Joan Bruna Dumitru Erhan Ian Goodfellow and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv:1312.6199. Retrieved from https:\/\/arxiv.org\/abs\/1312.6199."},{"key":"e_1_3_2_47_2","unstructured":"Florian Tram\u00e8r Alexey Kurakin Nicolas Papernot Ian Goodfellow Dan Boneh and Patrick McDaniel. 2018. Ensemble adversarial training: Attacks and defenses. In International Conference on Learning Representations ."},{"key":"e_1_3_2_48_2","unstructured":"Jonathan Uesato Brendan O\u2019Donoghue Aaron van den Oord and Pushmeet Kohli. 2018. Adversarial risk and the dangers of evaluating against weak attacks. In International Conference on Machine Learning . PMLR 5025\u20135034."},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00049"},{"key":"e_1_3_2_50_2","unstructured":"Cihang Xie Jianyu Wang Zhishuai Zhang Zhou Ren and Alan Yuille. 2018. Mitigating adversarial effects through randomization. In International Conference on Learning Representations ."},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00284"},{"key":"e_1_3_2_52_2","unstructured":"Weilin Xu David Evans and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv:1704.01155. Retrieved from https:\/\/arxiv.org\/abs\/1704.01155."}],"container-title":["ACM Transactions on Multimedia Computing, Communications, and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3524619","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3524619","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:09:54Z","timestamp":1750183794000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3524619"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,23]]},"references-count":51,"journal-issue":{"issue":"1s","published-print":{"date-parts":[[2023,2,28]]}},"alternative-id":["10.1145\/3524619"],"URL":"https:\/\/doi.org\/10.1145\/3524619","relation":{},"ISSN":["1551-6857","1551-6865"],"issn-type":[{"value":"1551-6857","type":"print"},{"value":"1551-6865","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,23]]},"assertion":[{"value":"2021-09-14","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-04-05","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-01-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}