{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,14]],"date-time":"2025-10-14T00:50:58Z","timestamp":1760403058966,"version":"build-2065373602"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"4","funder":[{"name":"Beijing Municipal Science and Technology Project","award":["Z231100010323002"],"award-info":[{"award-number":["Z231100010323002"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,11,30]]},"abstract":"<jats:p>Deep neural networks (DNNs) for image classification remain vulnerable to adversarial perturbations\u2013subtle input manipulations that induce catastrophic misclassifications. To address this issue, we propose the Adversarial Image Rectifier (AIR), a linguistically inspired detection and mitigation framework that enhances DNN robustness by intercepting and inverting adversarial perturbations at the feature level. Unlike existing defenses, AIR operates without prior knowledge of attack patterns: it first encodes hierarchical hidden-layer feature maps of a DNN into semantically structured sentence representations, then identifies adversarial inputs through \u201csentiment\u201d anomalies in these sentences\u2013a linguistic metaphor for subtle adversarial traces. Crucially, we pinpoint a pivotal intermediate layer where adversarial perturbations dominantly propagate and train a lightweight rectifier network to selectively nullify adversarial features at this layer while preserving benign semantics. Extensive experiments on Tiny-ImageNet, CIFAR-10, SVHN, and MS COCO demonstrate that AIR achieves a correction rate of up to 95.02% and 94.62% when defending against known attacks and unknown attacks, respectively, significantly surpassing existing defense techniques.<\/jats:p>","DOI":"10.1145\/3765757","type":"journal-article","created":{"date-parts":[[2025,9,3]],"date-time":"2025-09-03T11:05:44Z","timestamp":1756897544000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Rectifying Multi-Attack Adversarial Perturbations in Deep Neural Network based Image Classifier"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0759-2208","authenticated-orcid":false,"given":"Yulong","family":"Wang","sequence":"first","affiliation":[{"name":"Beijing University of Posts and Telecommunications","place":["Beijing, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-6601-0584","authenticated-orcid":false,"given":"Jiaxuan","family":"Song","sequence":"additional","affiliation":[{"name":"School of Computer Science, Beijing University of Posts and Telecommunications","place":["Beijing, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-2106-521X","authenticated-orcid":false,"given":"Tianxiang","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science, Beijing University of Posts and Telecommunications","place":["Beijing, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-4462-8999","authenticated-orcid":false,"given":"Yuan","family":"Xin","sequence":"additional","affiliation":[{"name":"College of Big Data and Information Engineering, Guizhou University","place":["Guiyang, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7316-5590","authenticated-orcid":false,"given":"Hong","family":"Li","sequence":"additional","affiliation":[{"name":"College of Big Data and Information Engineering, Guizhou University","place":["Guiyang, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-1589-6775","authenticated-orcid":false,"given":"Ni","family":"Wei","sequence":"additional","affiliation":[{"name":"School of Communication Science and Engineering, Fudan University","place":["Shanghai, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,10,13]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"Aiswarya Akumalla Seth Haney and Maksim Bazhenov. 2020. Contextual fusion for adversarial robustness. (2020). arXiv preprint arXiv:2011.09526"},{"key":"e_1_3_1_3_2","first-page":"294","volume-title":"Proc. IEEE Conf. Int. Symp. Technol. Soc., Tempe, AZ, USA, November 12-15, 2020","author":"Alrawashdeh Khaled","unstructured":"Khaled Alrawashdeh and Stephen Goldsmith. Defending deep learning based anomaly detection systems against white-box adversarial examples and backdoor attacks. In Proc. IEEE Conf. Int. Symp. Technol. Soc., Tempe, AZ, USA, November 12-15, 2020. 294\u2013301."},{"key":"e_1_3_1_4_2","first-page":"484","volume-title":"Proc. Eur. Conf. Comput. Vis., Glasgow, August 23-28, 2020","author":"Andriushchenko Maksym","unstructured":"Maksym Andriushchenko, Francesco Croce, Nicolas Flammarion, and Matthias Hein. Square attack: A query-efficient black-box adversarial attack via random search. In Proc. Eur. Conf. Comput. Vis., Glasgow, August 23-28, 2020, Vol. 12368. 484\u2013501."},{"key":"e_1_3_1_5_2","first-page":"274","volume-title":"Proc. Int. Conf. Mach. Learn., Stockholmsm\u00e4ssan, Stockholm Sweden, July 10-15, 2018","author":"Athalye Anish","unstructured":"Anish Athalye, Nicholas Carlini, and David Wagner. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proc. Int. Conf. Mach. Learn., Stockholmsm\u00e4ssan, Stockholm Sweden, July 10-15, 2018. 274\u2013283."},{"key":"e_1_3_1_6_2","unstructured":"Anish Athalye Logan Engstrom Andrew Ilyas and Kevin Kwok. 2017. Synthesizing robust adversarial examples. arXiv preprint arXiv:11707.07397"},{"key":"e_1_3_1_7_2","first-page":"0287","volume-title":"Proc. IEEE Comput. Commun. Workshop Conf., Las Vegas, NV, USA, January 06-08, 2020","author":"Ayi Maneesh","unstructured":"Maneesh Ayi and Mohamed El-Sharkawy. RMNv2: Reduced mobilenet V2 for CIFAR10. In Proc. IEEE Comput. Commun. Workshop Conf., Las Vegas, NV, USA, January 06-08, 2020. 0287\u20130292."},{"key":"e_1_3_1_8_2","unstructured":"Nicholas Carlini and David A. Wagner. Towards evaluating the robustness of neural networks. CoRR vol. arXiv:2110.14735 2021."},{"key":"e_1_3_1_9_2","first-page":"2196","volume-title":"Proc. Int. Conf. Mach. Learn., Vienna, Austria, July 13-18, 2020","author":"Croce Francesco","unstructured":"Francesco Croce and Matthias Hein. Minimally distorted adversarial examples with a fast adaptive boundary attack. In Proc. Int. Conf. Mach. Learn., Vienna, Austria, July 13-18, 2020, Vol. 119. 2196\u20132205."},{"key":"e_1_3_1_10_2","first-page":"2206","volume-title":"Proc. Int. Conf. Mach. Learn., Vienna, Austria, July 13-18, 2020","author":"Croce Francesco","unstructured":"Francesco Croce and Matthias Hein. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Proc. Int. Conf. Mach. Learn., Vienna, Austria, July 13-18, 2020, Vol. 119. 2206\u20132216."},{"key":"e_1_3_1_11_2","first-page":"9185","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Salt Lake City, UT, USA, June 18-22, 2018","author":"Dong Yinpeng","unstructured":"Yinpeng Dong, Fangzhou Liao, Tianyu Pang, Hang Su, Jun Zhu, Xiaolin Hu, and Jianguo Li. Boosting adversarial attacks with momentum. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Salt Lake City, UT, USA, June 18-22, 2018. 9185\u20139193."},{"key":"e_1_3_1_12_2","unstructured":"Alexey Dosovitskiy Lucas Beyer Alexander Kolesnikov Dirk Weissenborn Xiaohua Zhai Thomas Unterthiner Mostafa Dehghani Matthias Minderer Georg Heigold Sylvain Gelly Jakob Uszkoreit and Neil Houlsby. 2021. An image is worth \\(16\\times 16\\) words: Transformers for image recognition at scale. In Proc. Int. Conf. Learn. Represent. Virtual Only Conference."},{"key":"e_1_3_1_13_2","first-page":"3996","volume-title":"Proc. AAAI Conf. Artif. Intell., New York, New York, USA, February 7-12, 2020","author":"Goldblum Micah","unstructured":"Micah Goldblum, Liam Fowl, Soheil Feizi, and Tom Goldstein. Adversarially robust distillation. In Proc. AAAI Conf. Artif. Intell., New York, New York, USA, February 7-12, 2020, Vol. 34. 3996\u20134003."},{"volume-title":"Proc. Int. Conf. Learn. Represent., San Diego, CA, USA, May 7-9, 2015","author":"Goodfellow Ian J.","key":"e_1_3_1_14_2","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. In Proc. Int. Conf. Learn. Represent., San Diego, CA, USA, May 7-9, 2015."},{"key":"e_1_3_1_15_2","first-page":"23818","volume-title":"Proc. Adv. Neural Inf. Process. Syst., New Orleans, LA, USA, December 23, 2022","author":"Ho Chih-Hui","unstructured":"Chih-Hui Ho and Nuno Vasconcelos. DISCO: Adversarial defense with local implicit functions. In Proc. Adv. Neural Inf. Process. Syst., New Orleans, LA, USA, December 23, 2022. 23818\u201323837."},{"key":"e_1_3_1_16_2","first-page":"7066","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019","author":"Inkawhich Nathan","unstructured":"Nathan Inkawhich, Wei Wen, Hai Helen Li, and Yiran Chen. Feature space perturbations yield more transferable adversarial examples. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019. 7066\u20137074."},{"key":"e_1_3_1_17_2","first-page":"6084","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019","author":"Jia Xiaojun","unstructured":"Xiaojun Jia, Xingxing Wei, Xiaochun Cao, and Hassan Foroosh. ComDefend: An efficient image compression model to defend adversarial examples. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019. 6084\u20136092."},{"key":"e_1_3_1_18_2","first-page":"3842","volume-title":"Proc. IEEE Trans. Acoust., Speech, Signal Process., Brighton, United Kingdom, May 12-17, 2019","author":"Jin Guoqing","unstructured":"Guoqing Jin, Shiwei Shen, Dongming Zhang, Feng Dai, and Yongdong Zhang. APE-GAN: Adversarial perturbation elimination with GAN. In Proc. IEEE Trans. Acoust., Speech, Signal Process., Brighton, United Kingdom, May 12-17, 2019. 3842\u20133846."},{"key":"e_1_3_1_19_2","unstructured":"Hoki Kim. Torchattacks : A pytorch repository for adversarial attacks. (n.d.). CoRR vol. arXiv:2010.01950 2020."},{"key":"e_1_3_1_20_2","unstructured":"Kimin Lee Kibok Lee Honglak Lee and Jinwoo Shin. 2018. A simple unified framework for detecting out-of-distribution samples and adversarial attacks. arXiv preprint arXiv:1807.03888"},{"key":"e_1_3_1_21_2","unstructured":"Jincheng Li Jiezhang Cao Yifan Zhang Jian Chen and Mingkui Tan. Learning defense transformers for counterattacking adversarial examples. (n.d.). CoRR vol. arXiv:2103.07595 2021."},{"key":"e_1_3_1_22_2","first-page":"3459","volume-title":"Proc. AAAI Conf. Artif. Intell., Vancouver, Canada, February 20-27, 2024","author":"Lin Qinliang","unstructured":"Qinliang Lin, Cheng Luo, Zenghao Niu, Xilin He, Weicheng Xie, Yuanbo Hou, Linlin Shen, and Siyang Song. Boosting adversarial transferability across model genus by deformation-constrained warping. In Proc. AAAI Conf. Artif. Intell., Vancouver, Canada, February 20-27, 2024. 3459\u20133467."},{"key":"e_1_3_1_23_2","first-page":"4607","volume-title":"Proc. IEEE Int. Conf. Comput. Vis., Paris, France, October 1-6, 2023","author":"Ma Wenshuo","unstructured":"Wenshuo Ma, Yidong Li, Xiaofeng Jia, and Wei Xu. Transferable adversarial attack for both vision transformers and convolutional networks via momentum integrated gradients. In Proc. IEEE Int. Conf. Comput. Vis., Paris, France, October 1-6, 2023. 4607\u20134616."},{"volume-title":"Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018","author":"Madry Aleksander","key":"e_1_3_1_24_2","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018."},{"key":"e_1_3_1_25_2","first-page":"135","volume-title":"Proc. Conf. Comput. Commun. Sec., Dallas, TX, USA, October 30 - November 03, 2017","author":"Meng Dongyu","unstructured":"Dongyu Meng and Hao Chen. MagNet: A two-pronged defense against adversarial examples. In Proc. Conf. Comput. Commun. Sec., Dallas, TX, USA, October 30 - November 03, 2017. 135\u2013147."},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2020.2970615"},{"key":"e_1_3_1_27_2","first-page":"2574","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Las Vegas, NV, USA, June 27-30, 2016","author":"Moosavi-Dezfooli Seyed-Mohsen","unstructured":"Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. DeepFool: A simple and accurate method to fool deep neural networks. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Las Vegas, NV, USA, June 27-30, 2016. 2574\u20132582."},{"key":"e_1_3_1_28_2","first-page":"16805","volume-title":"Proc. Int. Conf. Mach. Learn., Baltimore, Maryland, USA, July 17-23, 2022","author":"Nie Weili","unstructured":"Weili Nie, Brandon Guo, Yujia Huang, Chaowei Xiao, Arash Vahdat, and Animashree Anandkumar. Diffusion models for adversarial purification. In Proc. Int. Conf. Mach. Learn., Baltimore, Maryland, USA, July 17-23, 2022, Vol. 162. 16805\u201316827."},{"key":"e_1_3_1_29_2","unstructured":"Sen Pei Jiaxi Sun Xiaopeng Zhang and Gaofeng Meng. Gradient concealment: Free lunch for defending adversarial attacks. (n.d.). CoRR vol. arXiv:2205.10617 2022."},{"key":"e_1_3_1_30_2","doi-asserted-by":"crossref","unstructured":"Jary Pomponi Simone Scardapane and Aurelio Uncini. Pixle: A fast and effective black-box attack based on rearranging pixels. (n.d.). CoRR vol. arXiv:2202.02236 2022.","DOI":"10.1109\/IJCNN55064.2022.9892966"},{"key":"e_1_3_1_31_2","unstructured":"Aditi Raghunathan Jacob Steinhardt and Percy Liang. 2018. Certified defenses against adversarial examples. (2018). arXiv preprint arXiv:1801.09344"},{"volume-title":"Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018","author":"Samangouei Pouya","key":"e_1_3_1_32_2","unstructured":"Pouya Samangouei, Maya Kabkab, and Rama Chellappa. Defense-GAN: Protecting classifiers against adversarial attacks using generative models. In Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018. Retrieved from https:\/\/openreview.net\/forum?id=BkJ3ibb0-"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2019.2929198"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"volume-title":"Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018","author":"Tram\u00e8r Florian","key":"e_1_3_1_35_2","unstructured":"Florian Tram\u00e8r, Alexey Kurakin, Nicolas Papernot, Ian J. Goodfellow, Dan Boneh, and Patrick D. McDaniel. Ensemble adversarial training: Attacks and defenses. In Proc. Int. Conf. Learn. Represent., Vancouver, BC, Canada, April 30 - May 3, 2018."},{"key":"e_1_3_1_36_2","unstructured":"Florian Tram\u00e8r Nicolas Papernot Ian Goodfellow Dan Boneh and Patrick McDaniel. 2017. The space of transferable adversarial examples. (2017). arXiv preprint arXiv:1704.03453"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TVCG.2021.3114817"},{"key":"e_1_3_1_38_2","doi-asserted-by":"crossref","unstructured":"Shen Wang and Yuxin Gong. 2022. Adversarial example detection based on saliency map features. Appl. Intell. 52 6 (2022) 1\u201314.","DOI":"10.1007\/s10489-021-02759-8"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2023.3274538"},{"key":"e_1_3_1_40_2","doi-asserted-by":"crossref","unstructured":"Yuchen Wang Xiaoguang Li Li Yang Jianfeng Ma and Hui Li. 2023. ADDITION: Detecting adversarial examples with image-dependent noise reduction. IEEE Trans. Dependable Secure Comput. 21 (2023) 1139\u20131154.","DOI":"10.1109\/TDSC.2023.3269012"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3202687"},{"key":"e_1_3_1_42_2","unstructured":"Chang Xiao Peilin Zhong and Changxi Zheng. 2019. Enhancing adversarial defense by k-winners-take-all. (2019). arXiv preprint arXiv:1905.10510"},{"key":"e_1_3_1_43_2","first-page":"501","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019","author":"Xie Cihang","unstructured":"Cihang Xie, Yuxin Wu, Laurens van der Maaten, Alan L. Yuille, and Kaiming He. Feature denoising for improving adversarial robustness. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019. 501\u2013509."},{"key":"e_1_3_1_44_2","first-page":"2730","volume-title":"Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019","author":"Xie Cihang","unstructured":"Cihang Xie, Zhishuai Zhang, Yuyin Zhou, Song Bai, Jianyu Wang, Zhou Ren, and Alan L. Yuille. Improving transferability of adversarial examples with input diversity. In Proc. IEEE Conf. Comput. Vis. Pattern Recognit., Long Beach, CA, USA, June 16-20, 2019. 2730\u20132739."},{"key":"e_1_3_1_45_2","unstructured":"Qiuling Xu Guanhong Tao Siyuan Cheng and Xiangyu Zhang. 2020. Towards feature space adversarial attack. (2020). arXiv preprint arXiv:2004.12385"},{"key":"e_1_3_1_46_2","unstructured":"Weilin Xu David Evans and Yanjun Qi. 2017. Feature squeezing: Detecting adversarial examples in deep neural networks. (2017). arXiv preprint arXiv:1704.01155"},{"key":"e_1_3_1_47_2","unstructured":"Yuzhe Yang Guo Zhang Dina Katabi and Zhi Xu. 2019. Me-net: Towards effective adversarial robustness with matrix estimation. (2019). arXiv preprint arXiv:1905.11971"},{"key":"e_1_3_1_48_2","unstructured":"Xuwang Yin Soheil Kolouri and Gustavo K. Rohde. 2019. Gat: Generative adversarial training for adversarial example detection and robust classification. (2019). arXiv preprint arXiv:1905.11475"},{"key":"e_1_3_1_49_2","unstructured":"Zheng Yuan Jie Zhang Zhaoyan Jiang Liangliang Li and Shiguang Shan. 2021. Adaptive perturbation for adversarial attack. (2021). arXiv preprint arXiv:2111.13841"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3036801"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3765757","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T14:33:05Z","timestamp":1760365985000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3765757"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":49,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,11,30]]}},"alternative-id":["10.1145\/3765757"],"URL":"https:\/\/doi.org\/10.1145\/3765757","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-02-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-19","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-10-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}