Emulated Autoencoder: A Time-Efficient Image Denoiser for Defense of Convolutional Neural Networks against Evasion Attacks

Abstract

As Convolutional Neural Networks (CNN) have become essential to modern applications such as image classification on social networks or self-driving vehicles, evasion attacks targeting CNNs can lead to damage for users. Therefore, there has been a rising amount of research focusing on defending against evasion attacks. Image denoisers have been used to mitigate the impact of evasion attacks; however, there is not a sufficiently broad view of the use of image denoisers as adversarial defenses in image classification due to a lack of trade-off analysis. Thus, image denoisers' costs, including training time, image reconstruction time, and loss of benign F1 scores of CNN classifiers, are explored in this thesis. Additionally, Emulated Autoencoder (EAE), which is the proposed method of this thesis to optimize trade-offs for high volume classification tasks, is evaluated alongside state-of-the-art image denoisers in the gray-box and white-box threat models. EAE outperforms most image denoisers in both the gray-box and white-box threat models while drastically reducing training and image reconstruction time compared to the state-of-the-art denoisers. As a result, EAE is more appropriate for securing high-volume classification applications of images.