{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,2]],"date-time":"2025-11-02T10:39:57Z","timestamp":1762079997066,"version":"build-2065373602"},"reference-count":37,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2022,12,6]],"date-time":"2022-12-06T00:00:00Z","timestamp":1670284800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"],"award-info":[{"award-number":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100003453","name":"Guangdong Natural Science Foundation","doi-asserted-by":"publisher","award":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"],"award-info":[{"award-number":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"]}],"id":[{"id":"10.13039\/501100003453","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Guangdong Basic and Applied Basic Research Foundation","award":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"],"award-info":[{"award-number":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"]}]},{"name":"Science and Technology Planning Project of Guangzhou","award":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"],"award-info":[{"award-number":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"]}]},{"name":"Project of Guangxi Key Laboratory of Trusted Software","award":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"],"award-info":[{"award-number":["62077028","2019KTSCX010","2021A1515011873","202102080307","kx202007"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Algorithms"],"abstract":"<jats:p>Adversarial attacks hamper the functionality and accuracy of deep neural networks (DNNs) by meddling with subtle perturbations to their inputs. In this work, we propose a new mask-based adversarial defense scheme (MAD) for DNNs to mitigate the negative effect from adversarial attacks. Our method preprocesses multiple copies of a potential adversarial image by applying random masking, before the outputs of the DNN on all the randomly masked images are combined. As a result, the combined final output becomes more tolerant to minor perturbations on the original input. Compared with existing adversarial defense techniques, our method does not need any additional denoising structure or any change to a DNN\u2019s architectural design. We have tested this approach on a collection of DNN models for a variety of datasets, and the experimental results confirm that the proposed method can effectively improve the defense abilities of the DNNs against all of the tested adversarial attack methods. In certain scenarios, the DNN models trained with MAD can improve classification accuracy by as much as 90% compared to the original models when given adversarial inputs.<\/jats:p>","DOI":"10.3390\/a15120461","type":"journal-article","created":{"date-parts":[[2022,12,6]],"date-time":"2022-12-06T01:43:48Z","timestamp":1670291028000},"page":"461","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["A Mask-Based Adversarial Defense Scheme"],"prefix":"10.3390","volume":"15","author":[{"given":"Weizhen","family":"Xu","sequence":"first","affiliation":[{"name":"College of Information Science and Technology, Jinan University, Guangzhou 510632, China"}]},{"given":"Chenyi","family":"Zhang","sequence":"additional","affiliation":[{"name":"College of Information Science and Technology, Jinan University, Guangzhou 510632, China"}]},{"given":"Fangzhen","family":"Zhao","sequence":"additional","affiliation":[{"name":"College of Information Science and Technology, Jinan University, Guangzhou 510632, China"}]},{"given":"Liangda","family":"Fang","sequence":"additional","affiliation":[{"name":"College of Information Science and Technology, Jinan University, Guangzhou 510632, China"}]}],"member":"1968","published-online":{"date-parts":[[2022,12,6]]},"reference":[{"key":"ref_1","unstructured":"(2022, December 01). Report. Neural Network Market to Reach $38.71 Billion, Globally, by 2023, Says Allied Market Research, Available online: https:\/\/www.globenewswire.com\/fr\/news-release\/2020\/04\/02\/2010880\/0\/en\/Neural-Network-Market-to-reach-38-71-billion-Globally-by-2023-Says-Allied-Market-Research.html."},{"key":"ref_2","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2014, January 14\u201316). Intriguing properties of neural networks. Proceedings of the ICLR, Banff, AB, Canada."},{"key":"ref_3","unstructured":"Goodfellow, I.J., Shlens, J., and Szegedy, C. (2015, January 7\u20139). Explaining and harnessing adversarial examples. Proceedings of the ICLR, San Diego, CA, USA."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., and Swami, A. (2016, January 21\u201324). The Limitations of Deep Learning in Adversarial Settings. Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany.","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref_5","unstructured":"Ma, X., Li, B., Wang, Y., Erfani, M.S., Wijewickrema, N.R.S., Houle, E.M., Schoenebeck, G., Song, D., and Bailey, J. (May, January 30). Characterizing Adversarial Subspaces Using Local Intrinsic Dimensionality. Proceedings of the ICLR, Vancouver, BC, Canada."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Cohen, G., Sapiro, G., and Giryes, R. (2020, January 15\u201319). Detecting Adversarial Samples Using Influence Functions and Nearest Neighbors. Proceedings of the 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA.","DOI":"10.1109\/CVPR42600.2020.01446"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Xu, W., Evans, D., and Qi, Y. (2018, January 18\u201321). Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. Proceedings of the NDSS, San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23198"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Meng, D., and Chen, H. (November, January 30). MagNet: A Two-Pronged Defense against Adversarial Examples. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Association for Computing Machinery (CCS \u201917), New York, NY, USA.","DOI":"10.1145\/3133956.3134057"},{"key":"ref_9","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (May, January 30). Towards Deep Learning Models Resistant to Adversarial Attacks. Proceedings of the ICLR, Vancouver, BC, Canada."},{"key":"ref_10","unstructured":"Mustafa, A., Khan, S., Hayat, M., Goecke, R., Shen, J., and Shao, L. (November, January 27). Adversarial defense by restricting the hidden space of deep neural networks. Proceedings of the ICCV, Seoul, Korea."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"He, K., Chen, X., Xie, S., Li, Y., Doll\u00e1r, P., and Girshick, R. (2022, January 21\u201323). Masked Autoencoders Are Scalable Vision Learners. Proceedings of the 2022 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), New Orleans, LA, USA.","DOI":"10.1109\/CVPR52688.2022.01553"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Wu, X., Jha, S., and Swami, A. (2016, January 22\u201326). Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks. Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2016.41"},{"key":"ref_13","unstructured":"Kurakin, A., Goodfellow, I., and Bengio, S. (2017, January 24\u201326). Adversarial examples in the physical world. Proceedings of the ICLR Workshop, Toulon, France."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Liao, F., Liang, M., Dong, Y., Pang, T., Hu, X., and Zhu, J. (2018, January 18\u201323). Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser. Proceedings of the 2018 IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA.","DOI":"10.1109\/CVPR.2018.00191"},{"key":"ref_15","unstructured":"Samangouei, P., Kabkab, M., and Chellappa, R. (2018). Defense-GAN: Protecting classifiers against adversarial attacks using generative models. arXiv."},{"key":"ref_16","unstructured":"Salman, H., Sun, M., Yang, G., Kapoor, A., and Kolter, J.Z. (2020, January 6\u201312). Denoised Smoothing: A Provable Defense for Pretrained Classifiers. Proceedings of the NeurIPS 2020, Virtual."},{"key":"ref_17","unstructured":"Song, Y., Kim, T., Nowozin, S., Ermon, S., and Kushman, N. (May, January 30). PixelDefend: Leveraging Generative Models to Understand and Defend against Adversarial Examples. Proceedings of the ICLR, Vancouver, BC, Canada."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Lee, S., Lee, H., and Yoon, S. (2020, January 13\u201319). Adversarial Vertex Mixup: Toward Better Adversarially Robust Generalization. Proceedings of the 2020 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA.","DOI":"10.1109\/CVPR42600.2020.00035"},{"key":"ref_19","unstructured":"Potdevin, Y., Nowotka, D., and Ganesh, V. (2019). An Empirical Investigation of Randomized Defenses against Adversarial Attacks. arXiv."},{"key":"ref_20","unstructured":"Gu, S., and Rigazio, L. (2015, January 7\u20139). Towards Deep Neural Network Architectures Robust to Adversarial Examples. Proceedings of the ICLR Workshop, San Diego, CA, USA."},{"key":"ref_21","unstructured":"Cisse, M., Bojanowski, P., Grave, E., Dauphin, Y., and Usunier, N. (2017, January 6\u201311). Parseval Networks: Improving Robustness to Adversarial Examples. Proceedings of the 34th International Conference on Machine Learning ICML\u201917, Sydney, Australia."},{"key":"ref_22","unstructured":"Zoph, B., and Le, Q.V. (2016). Neural architecture search with reinforcement learning. arXiv."},{"key":"ref_23","unstructured":"Krizhevsky, A., and Hinton, G. (2009). Learning Multiple Layers of Features from Tiny Images, University of Toronto."},{"key":"ref_24","unstructured":"Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., and Ng, A. (2011, January 16\u201317). Reading Digits in Natural Images with Unsupervised Feature Learning. Proceedings of the NIPS Workshop on Deep Learning and Unsupervised Feature Learning, Sierra Nevada, Spain."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"2278","DOI":"10.1109\/5.726791","article-title":"Gradient-based learning applied to document recognition","volume":"86","author":"Lecun","year":"1998","journal-title":"Proc. IEEE"},{"key":"ref_26","unstructured":"Simonyan, K., and Zisserman, A. (2015, January 7\u20139). Very Deep Convolutional Networks for Large-Scale Image Recognition. Proceedings of the ICLR, San Diego, CA, USA."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., Ren, S., and Sun, J. (2016, January 27\u201330). Deep Residual Learning for Image Recognition. Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA.","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref_28","unstructured":"Rauber, J., Brendel, W., and Bethge, M. (2017, January 6\u201311). Foolbox: A Python toolbox to benchmark the robustness of machine learning models. Proceedings of the Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning, Sydney, Australia."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Carlini, N., and Wagner, D. (2017, January 22\u201329). Towards Evaluating the Robustness of Neural Networks. Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2017.49"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Levine, A., and Feizi, S. (2020, January 7\u201312). Robustness certificates for sparse adversarial attacks by randomized ablation. Proceedings of the AAAI Conference on Artificial Intelligence, New York, NY, USA.","DOI":"10.1609\/aaai.v34i04.5888"},{"key":"ref_31","unstructured":"Simonyan, K., Vedaldi, A., and Zisserman, A. (2013). Deep inside convolutional networks: Visualising image classification models and saliency maps. arXiv."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"2529","DOI":"10.1109\/TIP.2022.3157149","article-title":"TSGB: Target-Selective Gradient Backprop for Probing CNN Visual Saliency","volume":"31","author":"Cheng","year":"2022","journal-title":"IEEE Trans. Image Process."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Zhou, B., Khosla, A., Lapedriza, A., Oliva, A., and Torralba, A. (2016, January 27\u201330). Learning Deep Features for Discriminative Localization. Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA.","DOI":"10.1109\/CVPR.2016.319"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Chattopadhay, A., Sarkar, A., Howlader, P., and Balasubramanian, V.N. (2018, January 12\u201315). Grad-CAM++: Generalized Gradient-Based Visual Explanations for Deep Convolutional Networks. Proceedings of the 2018 IEEE Winter Conference on Applications of Computer Vision (WACV), Lake Tahoe, NV, USA.","DOI":"10.1109\/WACV.2018.00097"},{"key":"ref_35","unstructured":"Lahiri, S.K., and Wang, C. Formal Specification for Deep Neural Networks. Proceedings of the Automated Technology for Verification and Analysis."},{"key":"ref_36","unstructured":"Li, Y., and Yuan, Y. (2017). Convergence analysis of two-layer neural networks with relu activation. arXiv."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"46","DOI":"10.1145\/3503914","article-title":"Toward Verified Artificial Intelligence","volume":"65","author":"Seshia","year":"2022","journal-title":"Commun. ACM"}],"container-title":["Algorithms"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-4893\/15\/12\/461\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T01:34:42Z","timestamp":1760146482000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-4893\/15\/12\/461"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,6]]},"references-count":37,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["a15120461"],"URL":"https:\/\/doi.org\/10.3390\/a15120461","relation":{},"ISSN":["1999-4893"],"issn-type":[{"type":"electronic","value":"1999-4893"}],"subject":[],"published":{"date-parts":[[2022,12,6]]}}}