Defense against adversarial attacks in traffic sign images identification based on 5G

In the past decade, artificial intelligence and Internet of things (IoT) technology have been rapid development, gradually began to integrate with each other, especially in coming 5G era. Admittedly, image recognition is the key technology due to a huge number of video cameras integrated in intelligent IoT equipment, such as driverless cars. However, the rapidly growing body of research in adversarial machine learning has demonstrated that the deep learning architectures are vulnerable to adversarial examples. Thus, the raises questions about the security of intelligent Internet of thing (IoT) and trust sensitive areas. This emphasizes the urgent need for practical defense technology that can be deployed to real-time combat attacks at any time. Well-crafted small perturbations lead to the misclassification of legitimate images by neural networks, but not the human visual system. It is worth noting that many attack strategies are designed to disrupt image pixels in a visually imperceptible manner. Therefore, we propose a new defense method and take full advantage of 5G high-speed bandwidth and mobile edge computing (MEC) effectively. We use singular value decomposition (SVD) which is the optimal approximation of matrix in the sense of square loss to eliminate the perturbation. We have conducted extensive and large-scale experiments with German Traffic Sign Recognition Benchmark (GTSRB) datasets and the results show that adversarial attacks, such as Carlini-Wagner’s l2, Deepfool, and I-FSGM, can be better eliminated by the method and provide lower latency.


Introduction
In recent years, under the background of the continuous expansion of data scale and the great improvement of computing power, artificial intelligence, and IoT technology has developed rapidly. For example, deep learning has achieved far better performance than others in the fields of computer vision, speech recognition, and natural language processing which make humans want to integrate deep learning technology into the IoT equipment to make them capable of making decisions especially image classification and target tracking. However, its security problems are also constantly exposed in the rapid development, few people pay attention about that. In pattern recognition, the adversary adds carefully designed perturbation to the image to generate adversarial examples. Due to the linear nature of high-dimensional space, the influence of this small pixel change on the feature space is magnified, and finally, misleads the deep learning model to make a high-confidence misclassification. As shown in Fig. 1, the stop sign is identified as flowerpot by YOLO multiple object detector. The result is the applications of driverless vehicles etc. are faced with a serious security threat; up to now, adversarial defense is still a great obstacle to the popularization of artificial intelligence in the field of reliability.
In an unmanned system, vehicles obtain external road information through lidar, camera, optical detector, and so on. How to identify traffic signs quickly and accurately is a key point in the field of self-driving. A typical traffic sign image recognition system based on mobile edge computing (MEC) in the 5G network is shown in Fig. 2.
Coincidentally, we generate scale-invariant adversarial examples to test the safety and security of driverless vehicles which proved safety by contribution [1], but the result is thought provoking. We print the well-crafted scale-invariant adversarial examples out with a color printer and put it in the forward view of the driverless car. The system of driverless cars classifies it as a monitor or computer but not a traffic light. Changing the angle also produce the same result, as Fig. 3. The drawbacks of traditional driverless cars are obvious, the inducement is that the previous communication transmission rate cannot achieve real-time data transmission, analysis, and interaction. Not only that, but other intelligent IoT equipment also faces the same problem. But with the development of 5G remote communication technologies for vehicle-to-everything (V2X) communications, driverless car can upload live-traffic to MEC node and monitoring center of synchronization analysis and decision-making, the problem can be solved easily.
Due to the success of adversarial examples attack the DNN classifiers, they are increasingly being used as part of control pipelines in the real-world system such as driverless car [2,3], UAVs [4,5], and robots [6]. This threat has attracted people's attention, adversarial example begins in the digital domain and more recently extends to the physical domain [7,8].
To eliminate the safety problems caused by scale-invariant adversarial samples in the field of self-driving. On the one hand, some scholars aim to improve the robustness of deep learning model to adversarial attack, the training set contains both real images and adversarial images which is called defensive distillation. On the other hand, other scholars try to preprocess the input image to eliminate the perturbation on adversarial examples. Shortly before, Yue Zhou et al. [9] proposed an OPV (overall probability   transformed into a YCrCb color space which is easier to extract edge information. Then Scharr operator is used to extract edge information to identify whether the image is clean or not. The image edge information matrix is transformed into a uniform size glcm (gray level co-occurrence matrix) and input into a deep neural network with separable depth convolution to complete training and detection. Songkui Chen et al. [11] proposed a new image denoising algorithm to solve the problem of serious loss of details in traditional denoising algorithms. The algorithm uses GANs to learn the image denoising process. The generated network takes the adversarial example as input and the denoised image as output. The discriminant network is used for distinguishing the detail loss of the denoised image and the real image. Based on maintaining good performance, the network achieves a better effect of detail retention. Li Yuancheng et al. [12] proposed a U-Net-based deep denoising neural network (UDDN) to remove perturbation from adversarial examples. The main idea is to take the acquisition of noise as the learning goal, then subtract the noise from the adversarial image to get a clean image. Nilaksh Das et al. proposed the use of JPEG compression converts different regions of the image into different compression coefficients to resist adversarial disturbance and achieve better results [13]. Chuan Guo et al. make comprehensive use of image transformation techniques, such as cropping-rescaling, bit-depth reduction, total variance minimization, and quilting, to construct a multilevel defense system and demonstrate the effectiveness of the method by experiments [14]. Cihang Xie et al. proposed a method of image random resizing and adversarial training to mitigate the influence of perturbation on images, and proved by experiments that randomization has little effect on the classification of normal images, but it can significantly increase the correct classification rate of adversarial examples [15].

Our contributions and impact
In this paper, we propose a new technique capable of effectively mitigating adversarial examples and prior knowledge about potential attacks is hardly required and consider the real situation of self-driving in 5G environment, the problem of adversarial attacks on object recognition can be effectively solved through singular value decomposition and 5G network, the process is as follows. In this part, we briefly explain the generation principle of adversarial samples and its applicable scenarios. Assuming there is an image classification C and an image x ∈ X, X = [0, 1] H * W * C , thus an untargeted adversarial example x ′ can be defined as Targeted attack is similar to an untargeted attack, but a specific target label needs to be specified, i.e., C(x ′ ) = k. It also has been proved that it is feasible to train an alternative model that is highly similar to the target model in practice once the target model is a DNN trained by gradient back propagation [16,17]. There are four highly aggressive attacks, I-FGSM (iterative fast gradient sign method), Deepfool, Carlini and Wagner Attacks (C&W), and JSMA (Jacobian-based Saliency Map Attack), detailed information shown in Table 1.

Method generating adversarial example
In this section, we use four methods to generate adversarial images and briefly describe them. There are two main ways to generate adversarial attacks, single-step, which only perform gradient computation once, and iterative method, which perform multiple times. In theory, the perturbation of a single-step attack is weak, and some of them not cause misclassification. On the contrary, iterative attacks have strong aggression for a specific network but less transferability.

Iterative fast gradient sign method attack (I-FGSM)
This is the iterative version of the fast gradient sign method attack (FGSM) [18], which computing perturbations subject to an l ∞ constraint. FGSM is led by minimizing loss function J(x * , y), normally the loss function is cross entropy [19].
Its iterative version is represented as follows. Usually, α = ϵ/T, ϵ is disturbance, T refers to the number of iterations. The iterative version has stronger white-box attack ability, but the transferability of the attack sample is poor.

Carlini and Wagner attacks (C&W)
C&W is an optimization-based attack, which adds a relaxation term to the perturbation minimization problem of model-based differentiable alternatives. This attack influence l 0 , l 2 , and l ∞ and it is highly aggressive. Such attack can be described as the following minimization problems [20].
x − x Where κ controls the confidence with which an image is misclassified by the target model, and Z (*) is the output from the logit layer.

Deepfool
Deepfool attack is introduced by Moosavi Dezfooli et al. [21], which includes the target version and the non-target version. The author proves an effective method to apply the minimum perturbations to the misclassification under the l 2 distance metric. The method performs iterative steps for the antagonistic direction of the gradient provided by the local linear approximation of the classifier until the hyperplane crossover is made. This process can be described as follows: Where Δðx;kÞ denote the robustness ofk at point x, r denotes the perturbation,kðxÞ is the estimated label, and E x is the expectation over the distribution of data.

Jacobian-based saliency map attack (JSMA)
Giving the saliency map computed by the model's Jacobian matrix, the attack tries to modify the most significant pixel at each iteration until the prediction has changed to the target class. This attack attempts to create an adversarial disturbance at l 0 distance metric [22]. Here, it needs to be explained that when calculating the gradient, the FGSM and Deepfool discussed earlier are obtained by deriving the loss function, while the forward derivative in JSMA is obtained by deriving the output of the last layer of the neural network. The specific calculation process of the forward derivative ∇F(X) is as follows.
Where j represents the corresponding output classification and i represents the corresponding input characteristics.
According to the different disturbance modes (forward disturbance and reverse disturbance), two methods for calculating antagonistic salience maps are proposed.
According to the characteristics obtained from the antagonistic salience map, disturbance (forward disturbance or reverse disturbance) can be added to it. If the added disturbance is not enough to change the classification results, the disturbed samples can be used to repeat the above process.

Methodology
The basic idea of defending adversarial samples is to eliminate or destroy the negligible perturbation of the input before being identified by the target model. The infinitesimal η difference between adversarial examples X ADV and clean images, X can be expressed as follows.
As mentioned earlier, the adversarial sample only adds a slight perturbation to the normal image. These perturbations hardly affect the human visual system, but intelligent IoT equipment cannot work properly. Therefore, we try to perform singular value decomposition on the adversarial examples to eliminate or filter out certain parts of adversarial perturbation to restore the correct decision of the neural network model.

Theoretical background
For each A ∈ C m * n , singular values δ 1 , δ 2 , …, δ r of a matrix is unique, it describes the distribution characteristics of matrices. The matrix A is regarded as a linear transformation, which maps the points of m-dimensional space to n-dimensional space. After singular value decomposition, the transformation is divided into three parts, U, Δ, and V, where U and V are standard orthogonal matrices. Orthogonal transformation can reduce the correlation of image data, obtain the overall characteristics of the image, and help to represent the original image with less data, which is very meaningful for image analysis, storage, and image transmission.
If A is a digital image, then A can be regarded as two-dimensional time-frequency information, the singular value decomposition formula of A is expressed as follows: To make it more intuitive, we graphically show the decomposition process on 2 × 2 matrixes in Fig. 4. Where u i and v i are column vectors of U and V, δ i is a non-zero singular value of A. The image can be regarded as the result of the superposition of r subgraphs. After singular value decomposition, the texture and geometric information of the image are concentrated in U, V, while the singular value in Δ represents the energy information of the image. Taking the RGB image as an example, the process of singular value decomposition is shown in Fig. 5.
At the same time, the singular value of matrix has the following properties: Property 1 The singular value is stable. Assuming A, B ∈ C m * n , the singular values of A and B are λ 1 ≥ λ 2 ≥ … ≥ λ p and τ 1 ≥ τ 2 ≥ … ≥ τ p (p = min (m, n)), there is |λ i − τ i | ≤ || A − B|| 2 . This property indicates that singular values of the image do not change much after passing through the SVD for the image with color change, noise interference and so on.
Property 3 Singular values have rotation invariance. If P is a unitary matrix, then the singular value of matrix PA is the same as that of matrix A, i.e., |AA H − σ i I| = |PA(PA) H − σ i I| = 0.
Property 4 Matrix approximation. Assuming A ∈ C m * n , rank There is the following conclusion: The above formula shows that in the sense of F-norm, matrix A s is the best approximation of matrix A in space C mÃn s . Therefore, according to the need to retain s(s < r) singular values greater than a certain threshold and discard the remaining r − s singular values to ensure the approximation of the two matrixes in a certain sense. This property can be used for matrix reduction, and data compression also provides a basis for finding the "essential information" retained in the adversarial samples and removing the perturbation.

Defense method
The road condition information is captured by the vehicle camera for target identification and uploaded to MEC node through 5G. Then the MEC node synchronizes the analysis of signposts and road conditions using the SVD methodology mentioned above, the result immediately returned to the corresponding unmanned car and helps it to make the correct decision as shown in Fig. 6. This would significantly decrease the security risk. The threshold we set retain first n singular values {δ 1 , δ 2 , …, δ n } (δ 1 ≥ δ 2 ≥ … ≥ δ n ) and satisfy the equality relation 0:6 P s i¼1 δ i ≤ P n i¼1 δ i ≤ 0:7 P s i¼1 δ i . 4 Results and discussion

Experimental setup
Specifically, we choose German Traffic Sign Recognition Benchmark dataset [23] to perform the experiment, the deep neural network classifier we choose google Inception-v4 [24] and achieve 96.8% accuracy on test set. This model is named "target model" and the target model combine defense method is named "defense model". With respect to adversarial example generation, we explain as follows. For FGSM attack, the ε value is a key parameter. Namely, the size of ε directly affects the success rate of adversarial example generation. The larger ε is probably introducing obviously perturbation and easily being discovered. So, we craft the adversarial examples with appropriate different ε values than 2/255 for ImageNet images. For Deepfool attack, we use the default settings to generate Deepfool examples. The algorithm alters the image more unimpressive than FGSM, but the generated adversarial examples still fool the DNN classifiers successfully. For C&W attack, it is an optimization-based algorithm and its aim is to seek out perturbation as small as possible. In other word, it can find closer adversarial examples than the other attack techniques. For instance, C&W l 2 attack craft adversarial examples with much lower distortion than FGSM and κ we set respectively 2.0 in the experiment. For JSMA attack, we use the default setting to generate corresponding adversarial examples. It should be noted that JSMA is perceptible perturbations, which limits the number of altered pixels but not the amplitude of the pixels. This may cause that generated adversarial examples are easy to spot, but we still keep them in our experiment.
With respect to the defense model, it consists of the original networks we list above, and there add two layers. For the SVD layer, singular value decomposition is performed on the pixel matrix of the image. In line with the equivalence relationship, 0:6 P s i¼1 δ i ≤ P n i¼1 δ i ≤ 0:7 P s i¼1 δ i remains about the first 60% of singular values in descending order and reconstruct the images according to the gradient.

Result of clean image test
We first seek confirmation whether these defense operations have an impact on the recognition rate of the normal image. We see that the combined operation of SVD has little effect on the recognition accuracy of normal images. The accuracy of the defense model to normal images is reduced by an average of 1.746%. The processed normal image is shown in Fig. 7.

Singular value analysis
Before testing the defense model, we first analyze the influence of the size of the singular value on the image reconstruction and design a comparison of the difference in singular values between normal images and adversarial samples. As shown in Fig. 8, the image reconstructed by the larger singular values in the front has a high similarity with the original image, but continue to add the singular value, the change is no longer obvious. Whereafter, we compared the singular values of normal images with the corresponding adversarial example and randomly sample the singular values of 18 locations, plot them in Fig. 9. It shows that the singular values in the middle and tail of the adversarial samples have a large offset when compared with the normal images. We speculate that the use of these relatively "pure" singular values to reconstruct the image is helpful to the correct classification of the adversarial examples.

Result of different attack scenario experiment
In this section, we evaluate the proposed method on different attack scenarios. Considering the actual situation, we perform the poster-printing attacks and sticker attacks. In the poster-printing attacks scenario, we refer to the experiment of Kurakin et al. [25] and generate adversarial examples by methods mentioned in section 2. From Table 2, we can see that the defense model can effectively mitigate adversarial effects for posterprinting attacks. Especially when defense strategy combined with adversarial training, they perform very well on all attacks, adversarial examples achieve a very high attack rate on the target model, but hardly pass the defense model.
In the sticker attack scenario, we try to generate the physical perturbations in the form of stickers. Resembling graffiti or art on the signpost to misclassify the target  Table 3. The sticker camouflage graffiti attack and art attacks both have aggressive adversarial attacks, but they can be easily mitigated by defense model which includes 5G technology and image singular value decomposition.

Result of comparison experiment
This section, we conduct a comparison with the methods based on generative adversarial networks [26], JPEG compression [12] and image hybrid transformation which include cropping, TVM, and quilting (hereinafter referred to as CTQ) [13], result as shown in Table 4. The target model we choose Inceptionv4, and every method we set 5G, 4G, and offline model. Compared with other methods, we can clearly see the SVD+5G has certain advantages than other models. Importantly, the proposed method  hardly requires prior knowledge and suit for deployed in MEC node to support driverless cars and make it safer. Meanwhile, SVD+5G takes the least time due to the powerful 5G technology.

Discussion and limitation
In general, the proposed method can work better when combine with 5G and mobile edge computing to improve the security of the driverless car. It is necessary to pay attention to external factors, such as weather and communication interference in the practical application. One scenario is, in extreme cases, when the edge computing node is unable to mitigate the adversarial samples by the proposed method, the unmanned vehicle should be informed to switch emergency mode to find the nearest safe location to park. Another scenario is when 5G signal cannot be used due to signal interference in a specific area, the unmanned vehicle should switch to 4G or 3G in a timely manner and restore the communication connection as soon as possible. During this period, the unmanned vehicle should also slow down or park in a nearest safe area. For a variety of reasons, our simulation experiment and data analysis are limited, but we will continue to do further research. All in all, the goal of the method is to minimize the impact of adversarial samples on driverless vehicles.  In this paper, we propose a singular value decomposition-based fast mechanism to mitigate adversarial examples in the physical world, especially in the field of automatic drive. We simulate the unmanned system and conduct experiments to verify the effectiveness of our defense methods by using google Inception v4 deep neural networks for training, against different attack methods and assume a variety of attack scenarios. The experimental results clearly indicate that the processed images by defense model can effectively eliminate perturbation for the adversarial attack on signpost for misleading driverless cars. retaining the larger singular values in the pixel matrix can help to better find the "essential information" hidden in the image which is able to improve the robustness of the defense model. Meanwhile, the combine method of SVD+5G will greatly increase the cost of the adversary. In addition, the proposed defense model has strong practicability and easily to be deployed in the MEC node to make unmanned equipment in the coverage area free from adversarial attacks. In future work, we hope to extend the experiment to different IoT scenarios and guarantee the secure development and stability of intelligent IoT in the coming 5G era.