A Mixed Adversarial Awareness Technique for Improving Neural Network Defense

Authors

  • Moses Apambila Agebure C.K. Tedam University of Technology and Applied Sciences, Ghana
  • Sampson Kuma Konja C.K. Tedam University of Technology and Applied Sciences, Ghana
  • Stephen Akobre C.K. Tedam University of Technology and Applied Sciences, Ghana
  • Mohammed Ibrahim Daabo C.K. Tedam University of Technology and Applied Sciences, Ghana
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i3.1552

Keywords:

Adversarial Example Detection, Noise-Aware Defense, Kernel Density Estimation, Bayesian Uncertainty, Neural Network Defense

Abstract

Neural Network (NN) models, particularly Convolutional Neural Networks (CNNs), have achieved remarkable performance in computer vision tasks but remain highly vulnerable to adversarial attacks. Existing defense techniques mainly focus on detecting adversarial examples and often show limited effectiveness when adversarial perturbations coexist with significant noisy inputs. To address this limitation, this study proposes a Mixed Adversarial Awareness Technique (MAAT) based on kernel density estimation and a Bayesian uncertainty estimator. Kernel density estimation is used to model data manifolds in the input subspace, while the Bayesian uncertainty estimator, inspired by the Dirichlet process, quantifies predictive uncertainty in the input space. The proposed technique was evaluated on three benchmark datasets, CIFAR-10, CIFAR-100, and SVHN, using four adversarial attack schemes, namely FGSM, BIM, JSMA, and C&W, as well as Gaussian noise injection. The LeNet ConvNet model was employed as the test classifier. Experimental results show that MAAT effectively flags adversarial and noisy instances, improving detection performance with AUC values ranging from 0.84 to 0.96, compared with 0.61 to 0.94 achieved by selected state-of-the-art techniques. These findings demonstrate that combining density-based manifold modeling with uncertainty estimation provides a robust defense against mixed adversarial and noisy inputs.

Downloads

Download data is not yet available.

References

[1] Y. Gal and Z. Ghahramani, “Dropout as a bayesian approximation: representing model uncertainty in deep learning,” in Proceedings of the 33rd International Conference on Machine Learning - Volume 48, ser. ICML’16. JMLR.org, 2016, p. 1050–1059.

[2] N. Carlini and D. Wagner, “Towards Evaluating the Robustness of Neural Networks,” in 2017 IEEE Symposium on Security and Privacy (SP). Los Alamitos, CA, USA: IEEE Computer Society, May 2017, pp. 39–57.

[3] A. Mądry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” stat, vol. 1050, no. 9, 2017.

[4] S. Kiani, S. Awan, C. Lan, F. Li, and B. Luo, “Two souls in an adversarial image: Towards universal adversarial example detection using multi-view inconsistency,” in Proceedings of the 37th Annual Computer Security Applications Conference, ser. ACSAC ’21. New York, NY, USA: Association for Computing Machinery, 2021, p. 31–44, doi: 10.1145/3485832.3485904

[5] G. Liu, I. Khalil, and A. Khreishah, “Using single-step adversarial training to defend iterative adversarial examples,” in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, ser. CODASPY ’21. New York, NY, USA: Association for Computing Machinery, 2021, doi: 10.1145/3422337.3447841.

[6] G. Tao, W. Sun, T. Han, C. Fang, and X. Zhang, “Ruler: discriminative and iterative adversarial training for deep neural network fairness,” in Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ser. ESEC/FSE 2022. New York, NY, USA: Association for Computing Machinery, 2022, p. 1173–1184, doi: 10.1145/3540250.3549169.

[7] R. Yang, Q. Sun, H. Cao, C. Shen, J. Cai, and D. Rong, “1+1>2: A dual-function defense framework for adversarial example mitigation,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 4121–4136, 2025.

[8] S. Y. Khamaiseh, D. Bagagem, A. S. Al-Alaj, M. Mancino, and H. W. Alomari, “Adversarial deep learning: A survey on adversarial attacks and defense mechanisms on image classification,” IEEE Access, vol. 10, pp. 102 266–102 291, 2022.

[9] Y. Gao, Z. Lin, Y. Yang, J. Sang, X. Yang, and C. Xu, “Staying in the cat-and-mouse game: Towards black-box adversarial example detection,” in Proceedings of the 2nd International Workshop on Deep Multimodal Generation and Retrieval, ser. MMGR ’24. New York, NY, USA: Association for Computing Machinery, 2024, p. 35–43, doi: 10.1145/3689091.3690090

[10] J. Zhao, S. Qiao, J. Wang, and G. Liu, “Generating image adversarial example by modifying jpeg stream,” in Proceedings of the International Conference on Computer Vision and Deep Learning, ser. CVDL ’24. New York, NY, USA: Association for Computing Machinery, 2024, doi: 10.1145/3653804.3654719

[11] J. Tian, C. Shen, B. Wang, X. Xia, M. Zhang, C. Lin, and Q. Li, “Lesson: Multi-label adversarial false data injection attack for deep learning locational detection,” IEEE Transactions on Dependable and Secure Computing, vol. 21, pp. 4418–4432, 2024.

[12] H. Kuang, H. Liu, X. Lin, and R. Ji, “Defense against adversarial attacks using topology aligning adversarial training,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 3659–3673, 2024.

[13] Y. L. Khaleel, M. A. Habeeb, and H. Alnabulsi, “Adversarial attacks in machine learning: Key insights and defense approaches,” Applied Data Science and Analysis, 2024.

[14] S.-H. Choi, J.-M. Shin, P. Liu, and Y.-H. Choi, “Argan: Adversarially robust generative adversarial networks for deep neural networks against adversarial examples,” IEEE Access, vol. 10, pp. 33 602–33 615, 2022.

[15] X. Yuan, Z. Zhang, X. Wang, and L. Wu, “Semantic-aware adversarial training for reliable deep hashing retrieval,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 4681–4694, 2023.

[16] Y. Wang, T. Sun, S. Li, X. Yuan, W. Ni, E. Hossain, and H. Vincent Poor, “Adversarial attacks and defenses in machine learning-empowered communication systems and networks: A contemporary survey,” IEEE Communications Surveys & Tutorials, vol. 25, no. 4, pp. 2245–2298, 2023.

[17] X. Yue, M. Ningping, Q. Wang, and L. Zhao, “Revisiting adversarial robustness distillation from the perspective of robust fairness,” Advances in Neural Information Processing Systems, vol. 36, pp. 30390–30401, 2023.

[18] L. Lu, S. Pang, X. Zheng, X. Gu, A. Du, Y. Liu, and Y. Zhou, “Ciard: Cyclic iterative adversarial robustness distillation,” in Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), October 2025, pp. 350–359.

[19] C. Finlay and A. M. Oberman, “Scaleable input gradient regularization for adversarial robustness,” Machine Learning with Applications, vol. 3, p. 100017, 2021.

[20] D. Sen, "Gradient Maximization Regularization for Signed Adversarial Attacks," 2023 14th International Conference on Electrical and Electronics Engineering (ELECO), Bursa, Turkiye, 2023, pp. 1-5, doi: 10.1109/ELECO60389.2023.10415930.

[21] C. Yu, T. Chen, Z. Gan, and J. Fan, “Spear: evaluate the adversarial robustness of compressed neural models,” in Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, ser. IJCAI ’24, 2024, doi: 10.24963/ijcai.2024/177

[22] I. Kraidia, A. Ghenai, and S. B. Belhaouari, “Defense against adversarial attacks: robust and efficient compressed optimized neural networks,” Scientific Reports, vol. 14, 2024.

[23] Q. Liu and W. Wen, “Model compression hardens deep neural networks: A new perspective to prevent adversarial attacks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 34, no. 1, pp. 3–14, 2023.

[24] S. Sharma, “Multi-sap adversarial defense for deep neural networks,” International Journal of Advanced Science Computing and Engineering, vol. 4, no. 1, p. 32–47, Apr.

2022.

[25] A. Jordao and H. Pedrini, “On the effect of pruning on adversarial robustness,” in 2021 IEEE/CVF International Conference on Computer Vision Workshops (ICCVW). Los Alamitos, CA, USA: IEEE Computer Society, 2021, pp. 1–11.

[26] S. H. Zhong, Z. You, J. Zhang, S. Zhao, Z. LeClaire, Z. Liu, D. Zha, V. Chaudhary, S. Xu, and X. Hu, “One less reason for filter-pruning: gaining free adversarial robustness with structured grouped kernel pruning,” in Proceedings of the 37th International Conference on Neural Information Processing Systems, ser. NIPS ’23. Red Hook, NY, USA: Curran Associates Inc., 2023.

[27] Y. Xu, B. Du, and L. Zhang, “Assessing the threat of adversarial examples on deep neural networks for remote sensing scene classification: Attacks and defenses,” IEEE Transactions on Geoscience and Remote Sensing, vol. 59, no. 2, pp. 1604–1617, 2021.

[28] Y. Zhu, L. T. Yang, J. Feng, and X. Xie, “Tensor-based gan to defense adversarial attacks for cyber-physical-social system,” IEEE Transactions on Network Science and Engineering, pp. 1–1, 2021, doi: 10.1109/TNSE.2021.3077305.

[29] S. A. Dudani, “The distance-weighted k-nearest-neighbor rule,” IEEE Transactions on Systems, Man, and Cybernetics, vol. SMC-6, no. 4, pp. 325-327, April 1976, doi: 10.1109/TSMC.1976.5408784.

[30] P. Harder, F.-J. Pfreundt, M. Keuper, and J. Keuper, “Spectraldefense: Detecting adversarial attacks on cnns in the fourier domain,” 2021 International Joint Conference on Neural Networks (IJCNN), Shenzhen, China, 2021, pp. 1-8, doi: 10.1109/IJCNN52387.2021.9533442..

[31] Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. Hubbard, and L. D. Jackel, “Backpropagation applied to handwritten zip code recognition,” Neural Computation, vol. 1, no. 4, pp. 541–551, 1989.

Downloads

Published

2026-06-26

Issue

Vol. 8 No. 3 (2026): June

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

Most read articles by the same author(s)