Deep Learning is one of the most popular computer science techniques, with applications in natural language processing, image processing, pattern identification, and various other fields. Despite the success of these deep learning algorithms in multiple scenarios, such as spam detection, malware detection, object detection and tracking, face recognition, and automatic driving, these algorithms and their associated training data are rather vulnerable to numerous security threats. These threats ultimately result in significant performance degradation. Moreover, the supervised based learning models are affected by manipulated data known as adversarial examples, which are images with a particular level of noise that is invisible to humans. Adversarial inputs are introduced to purposefully confuse a neural network, restricting its use in sensitive application areas such as biometrics applications. In this paper, an optimized defending approach is proposed to recognize the adversarial iris examples efficiently. The Curvelet Transform Denoising method is used in this defense strategy, which examines every sub-band of the adversarial images and reproduces the image that has been changed by the attacker. The salient iris features are retrieved from the reconstructed iris image by using a pre-trained Convolutional Neural Network model (VGG 16) followed by Multiclass classification. The classification is performed by using Support Vector Machine (SVM) which uses Particle Swarm Optimization method (PSO-SVM). The proposed system is tested when classifying the adversarial iris images affected by various adversarial attacks such as FGSM, iGSM, and Deepfool methods. An experimental result on benchmark iris dataset, namely IITD, produces excellent outcomes with the highest accuracy of 95.8% on average.

Person in many machine learning tasks, Deep Neural Networks (DNN) have grown increasingly successful and popular. They’ve had great success in various applications like image recognition, text synthesis, speech recognition, etc. They are capable of recognizing objects with near-human accuracy in the image processing domain [

Recently few research studies have been published to find countermeasures to protect deep neural networks from the threat of adversarial examples. The defending mechanism is categorized into three types. (A) Gradient Masking–Most adversarial attacks are performed by changing the classifier’s gradient information, so this defending mechanism hides or masks the gradient values, which results in the attacking mechanism failing [

This study proposes the following contributions:

Curvelet transform based Image denoising: Curvelet transform approach is used to reconstruct an adversarial iris example into a denoised image in an efficient way.

DNN based Feature Extractor: The extraction of required essential key features from the data determines the feature extractor’s efficiency. The pre-trained CNN model termed as VGG16 is used to extract all major important features.

Classification: PSO-SVM is used for multiclass classification, which identifies the adversarial image efficiently with optimised SVM parameters.

The proposed framework is resistant to adversarial attacks, and its results are analysed with existing state of the art strategies.

The remainder of the paper is organized in the following manner. In the second section, related works are discussed. The techniques utilized to create adversarial examples are described in Section 3, and the adversarial detection methodology employed in our investigation is described in Section 4. Section 5 summarizes the results of our experimental effort, whereas Section 6 summarizes our findings and conclusion.

Artificial neural networks based Deep Neural Networks (DNN) has been proven to be resistant to random noise [

Developing a framework that is resistive to manipulated data, has proven to be a difficult task. It is an on-going challenge. A DNN model’s robustness can be improved through adversarial training or model distillation [

An adversary’s common goal is to provide a sample that looks identical to a normal sample, but it should be incorrectly classified by the target model. Consider the input image,

(a) Fast Gradient Sign Method (FGSM): Goodfellow et al. have introduced the Fast Gradient Sign Method and uses the derivative of the classifiers model’s loss function based on the input feature vector to create adversarial perturbations. The strategy is to perturb each feature by magnitude ɛ in the direction of the gradient given a base input, where ɛ is a parameter which specifies scale of perturbation. The classification model I’s loss is represented as:

Using

The success rate of generating adversarial examples are mainly dependent on the perturbation rate (i.e.) ɛ.

(b) Iterative Gradient Sign Method: The iterative version of the FGSM is the IGSM. Instead of applying adversarial noise with one large perturbation size and clipping all the pixels after each iteration, this method applies FGSM multiple times with modest perturbation sizes to ensure that the results stay in the ɛ-neighbourhood of the input image _{2} normalization method is used, so in each iteration the _{2} version of IGSM moves in the direction of normalized gradient and effective adversarial examples are generated. On the ImageNet data set, it was proven that IGSM’s attack was better than the FGSM method [

(c) Deepfool: Deepfool is a non-targeted attack approach for iteratively perturbing an image to build an adversarial example. It calculates the shortest distance between the original input and the Adversarial Attack decision boundary. It uses an iterative technique with a linear approximation to resolve nonlinearity in high dimensions. When the altered image changes the Deep Learning Model’s classification, the process ends and the corresponding image is considered as an adversarial image.

Attack Type | Attack Name | Dataset used |
---|---|---|

White box approach | Fast Gradient Sign Method (FGSM) | MNIST, CIFAR-10 |

Iterative Gradient Sign Method | Imagenet | |

Jacobian Saliency Map Attack (JSMA) | MNIST, CIFAR-10 | |

Deepfool (DF) | MNIST, CIFAR-10, Imagenet | |

Black Box approach | One Pixel Attack (OPA | CIFAR-10, Imagenet |

Natural GAN (NGAN) | MNIST, Textual Entailment | |

Boundary Attack (BA) | MNIST, CIFAR-10, Imagenet | |

Greedy Search Algorithm | Textual datasets |

The Curvelet Transform [

Curvelet transformations can be implemented in two ways: the first uses Unequally Spaced Fast Fourier Transforms (USFFT), wrapping of specific Fourier samples are selected in the second implementation. The only difference between these two implementations is the geographic locational space used to transform curvelets at each level and direction with respect to curve, and they still generate a curvelet coefficients in a table format having the following fields: ŝ dimension level i.e. scale, direction, and a geographical location value. The wrapping curvelet transform is the quickest technique which is chosen for this proposed work. The steps to acquire the curvelet coefficients are depicted in

Deep convolutional neural networks have made numerous ground-breaking advances in the field of image classification. Convolutional Neural Networks (CNN) follow the deep neural network concept, which extracts the high level features of the input data automatically whereas in classical Machine Learning (ML) the hand crafted features are supplied for processing the data [

The PSO-SVM, a parallel evolutionary computation approach, was introduced to Kennedy et al. [

In this work, the final classification is performed using SVM technique. To optimize the SVM parameters, the PSO method is applied.

^{th} iteration, ω – Inertia weight, c_{1},c_{2}, r_{1}, r_{2} – PSO Parameters

^{th} iteration

The proposed work utilizes the two benchmark iris datasets which are publicly available. (I) IITD iris database (ii) CASIA-Iris-Interval.

Dataset | Number of subjects | Number of images | Image size | Image format | Number of classes |
---|---|---|---|---|---|

IITD | 224 | 1120 | 320x240 | BMP | 224 |

Casia Iris Interval | 249 | 2639 | 320x280 | JPEG | 395 |

Iris segmentation and normalization are carried out in this preprocessing step. The circular Hough transform is used to detect the boundaries of the iris and pupil in the iris segmentation procedure. In segmentation, the first step is to build an edge map by using Canny Edge detection technique. The Canny Edge detection consists of the following steps (a) Noise reduction by smoothing (b) Gradient calculation (c) Non maximum suppression (d) Double thresholding (e) Tracking the edges by Hysteresis.

The next step is, reconstruct the adversarial iris images by using a multi resolution analysis tool i.e. Curvelet Transform. After the pre-processing step, the Curvelet Transform via wrapping method is applied on the normalized images, in order to get the Curvelet coefficients. After applying the Curvelet Transform the image is analysed in terms of Approximation Curvelet coefficients and Detail curvelet coefficients. These coefficients are derived with different angles and scales. Consider the image size to be 256 × 256 and the angle value in the sub band set to be 16, then the number of curvelet coefficients is 1,84,985. If all coefficients are considered for further steps, then the computation load is too complex. So the IITD iris images are normalized from 320 × 240 to 100 × 100 with the above mentioned parameter values and it results in the coefficient size being 28,098. During the reconstruction step, the approximation coefficients are considered without any change, because they have deeper features of image and the detailed coefficients are chosen by using a soft thresholding technique. The soft thresholding technique produces more visually appealing images compared to hard thresholding. Mean Square Error, Signal to Noise Ratio (SNR) and Peak signal to noise ratio (PSNR) are the metrics used to evaluate the result of this reconstruction of images. It is observed that the curvelet transform reconstructs the original image from the adversarial attack efficiently. The reconstructed iris images are listed in

The feature extraction method is carried out with the help of transfer learning concept. VGG 16 is a pre-trained model which is based on Convolutional Neural Network and is used for extracting the features. The VGG-16 architecture is complex and the details of the architecture are shown in

Layer Name | Feature Map | Size | Stride |
---|---|---|---|

Input | 1 | 224 × 224 × 3 | – |

2X Convolutions | 64 | 224 × 224 × 64 | 1 |

Maxpooling | 64 | 112 × 112 × 64 | 2 |

2X Convolutions | 128 | 112 × 112 × 128 | 1 |

Maxpooling | 128 | 56 × 56 × 128 | 2 |

2X Convolutions | 256 | 56 × 56 × 256 | 1 |

Maxpooling | 256 | 28 × 28 × 256 | 2 |

3X Convolutions | 512 | 28 × 28 × 512 | 1 |

Maxpooling | 512 | 14 × 14 × 512 | 2 |

3X Convolutions | 512 | 14 × 14 × 512 | 1 |

Maxpooling | 512 | 7 × 7 × 512 | 2 |

Fully connected 1 | – | 25088 | – |

Fully connected 2 | – | 4096 | – |

Fully connected 3 | – | 4096 | – |

Output | – | 1000 | – |

After feature extraction, the classifier is trained so that the trained model is used to identify the associated label for each input image. Support Vector Machine, Naïve Bayes, Neural Network and Softmax Regression are examples of classifiers that can be used for this purpose. In the proposed work SVM technique has been applied to classify the images as adversarial images or not. The kernel function is a key notion in SVM, as it allows operations to be carried out in the input space rather than the potentially high-dimensional feature space. There are four types of SVM kernel functions that are commonly used: 1. Linear Function 2. Polynomial function 3. Radial basis function 4. Sigmoid function. In our work we have used the RBF kernel SVM for classification. Initial values for the SVM parameters named Gamma and C (penalty) Parameters are defined in the prior step. Later Particle Swarm Optimization (PSO) method is used to find the best parameter values based on the fitness function. Root Mean Square Error (RMSE) is used as a fitness function in our methodology.

The proposed methodology has been experimented with two datasets named IITD iris and CASIA-Iris-Interval datasets. The details of the dataset explained in Section 4.1. The flow diagram of proposed work shown in

Attack name | FGSM | iGSM | Deepfool |
---|---|---|---|

accuracy (in %) | |||

Before attack | 98.01 | 97.6 | 98 |

After attack | 90.24 | 86.7 | 93.83 |

The next step in the proposed methodology is preprocessing of adversarial iris images. Segmentation and normalization are performed to enhance the iris image. Further the preprocessed image is reconstructed by using curvelet transform. Curvelet transforms are designed to handle curves using a small number of coefficients, hence this method handles curve discontinuities well. After performing curvelet transform, the resultant reconstructed images from the adversarial images are shown in

Types of attack | Average SNR (Increase) | Average PSNR (Increase) | MSE (Decrease) |
---|---|---|---|

FGSM | 10% | 8% | 83% |

iGSM | 12% | 10% | 85% |

Deep fool | 11% | 12% | 85% |

The SNR value of original to attack image is computed. Similarly the SNR value of original to reconstructed image is computed. The increased value shows that the image is reconstructed properly. Again the decreased value of Mean Square Error (MSE) depict the efficient reconstruction of images. In

The pretrained CNN based model VGG16 is used to extract the features from the reconstructed image. The default input size for this model is 224 × 224. In this case we resized the reconstructed image into required size. The model gets trained with the Adam optimizer with the batch size of 32. The Adam optimizer was chosen because of its low weight updates, which can improve learning throughout the training phase. With a certain number of epochs, it eventually converges satisfactorily with the global minimum. For simpler weight updates, smaller learning rates are desirable. In our experiment we have initialized the learning rate is 0.0001. The rectified linear unit (Relu) is a function that is used to activate neurons in each layer and induce non- linearity into the data. Relu activation function is used throughout all the layers except the final classification layer. We have used a Sparse categorical entropy loss function instead of the multinomial cross entropy loss function that was used for multilabel classification. For each image, a multilabel is assigned, and the output of the classification loss with the lowest classification loss is chosen, for better performance. The features are obtained from the last deeper dense layer, with the Relu activation function. The output of this layer is 4096 feature maps and they are arranged in column vector (CSV) format to speed up the process of PSO SVM.

After extracting the features from the pre-trained model, the PSO SVM Model is used to recognise the adversarial iris images. For a high SVM recognition rate, a suitable kernel function with optimal parameters is essential. Therefore our proposed system incorporates the evolutionary based optimization method (PSO) with Support Vector Machine Algorithm. In this SVM recognition experiment, we have considered both the cases (i) the fixed parameters of SVM and (ii) optimized parameters of SVM using our proposed method. For the first case the values of parameters are fixed and they are C(Penalty) = 0.7 and gamma = 1. In the second case PSO method is used to find the best value for the parameters for each set of adversarial attack images. Clearly, the PSO-SVM can automatically determine the best parameters C and gamma for SVM, and the accuracy is clearly superior to Regular SVM in almost all types of attacks.

S. No. | Attack | C-value | gamma Value |
---|---|---|---|

1 | FGSM | 0.25 | 9.7 |

2 | iGSM | 0.27 | 9.2 |

3 | Deepfool | 0.25 | 9.7 |

The classification accuracy of the proposed model with other state of art models are tabulated in

Classification Method | Accuracy (in %) Adversarial attacks | ||
---|---|---|---|

FGSM | iGSM | Deepfool | |

Model1-Curvelet+SVM | 88 | 85 | 86.2 |

Model 2-Curvelet+PCA+SVM | 92.4 | 89.7 | 90 |

Model 3-Curvelet+CNN+SVM | 94.7 | 93.5 | 94 |

Model 4-Curvelet+CNN | 95.6 | 94.3 | 95 |

Model 5-Curvelet+CNN+ PSO SVM (Proposed Method) | 96.3 | 95 | 96.3 |

In this research, we look at how to defend against adversarial attacks on Deep Convolutional Neural Networks, which are used in biometric systems as Iris classifiers. A novel defending method which addresses the adversarial iris images is proposed in this research. This defending technique uses the Curvelet Transform based denoising method which analyses each sub band of input image and reconstructs the image those are affected by the adversary. The salient iris features are extracted from the denoised iris image, by using a pre-trained convolutional Neural Network (VGG 16 model) followed by Multi class classification is performed by using PSO Support Vector Machine (PSO SVM). The presented method is evaluated using publicly available datasets (IITD iris databases and CASIA-Iris-Interval), and it achieves a high accuracy rate. Experiments show that our suggested method can generate useful and realistic iris features to recognise the adversarial attacks effectively with high accuracy and robustness. When compared to other existing defending models, this model has produced significant results with 96.5 percent accuracy in the test data. A number of novel ideas are included in this work. In the existing defending mechanism, wavelet transform is used for feature extraction and it is good at describing the point singularities but it struggles to detect curve singularities. Feature learning methods and Transfer learning are receiving a lot of attention these days. The reconstructed image is sent directly into the pre-trained CNN model which extracts the best aspects of the image. In terms of adversarial image detection, for a high SVM recognition rate, a suitable kernel function with optimal parameters is essential. Therefore our proposed system incorporates the evolutionary based optimization method (PSO) with Support Vector Machine Algorithm which produces the promising result compared with other conventional classification methods. In the future, we will test the performance of the proposed technique in other iris datasets and with other biometric recognition challenges using alternative pre trained CNN models. The proposed system may be tested with other types of adversarial attacks to build a more generalized defending framework.