Analysis of Defense Mechanisms Against FGSM Adversarial Attacks on ResNet Deep Learning Models Using the CIFAR-10 Dataset
Abstract
Adversarial attacks threaten the reliability of deep learning models in image classification, requiring effective defense mechanisms. This study evaluates how defense distillation and adversarial training protect ResNet18 models trained on CIFAR-10 data against Fast Gradient Sign Method (FGSM) attacks. The baseline model achieves 85.01% accuracy on clean data but its accuracy falls to 19.23% when FGSM attacks at epsilon 0.3. The accuracy of defense distillation drops to 23.68% when epsilon reaches 0.3 but adversarial training maintains 0.34% accuracy at epsilon 0.25 although it reduces clean data accuracy to 57.08%. The analysis shows that classes with similar visual characteristics such as cats and dogs remain vulnerable to attacks. The study demonstrates the requirement for balanced defense approaches while indicating additional work needs to improve model robustness.
Downloads
References
Y. LeCun et al., “Backpropagation Applied to Handwritten Zip Code Recognition,” Neural Comput, vol. 1, no. 4, pp. 541–551, 1989, doi: 10.1162/neco.1989.1.4.541.
K. He, X. Zhang, S. Ren, and J. Sun, “Deep Residual Learning for Image Recognition,” Dec. 2015, [Online]. Available: https://www.cv-foundation.org/openaccess/content_cvpr_2016/papers/He_Deep_Residual_Learning_CVPR_2016_paper.pdf
I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and Harnessing Adversarial Examples,” A conference paper at ICLR 2015, Dec. 2014.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards Deep Learning Models Resistant to Adversarial Attacks,” 2019. doi: https://doi.org/10.48550/arXiv.1706.06083.
N. Carlini and D. Wagner, “ Towards Evaluating the Robustness of Neural Networks ,” in 2017 IEEE Symposium on Security and Privacy (SP) , Los Alamitos, CA, USA: IEEE Computer Society, May 2017, pp. 39–57. doi: 10.1109/SP.2017.49.
H. Waghela, J. Sen, and S. Rakshit, “Robust Image Classification: Defensive Strategies against FGSM and PGD Adversarial Attacks,” in 2024 Asian Conference on Intelligent Technologies (ACOIT), 2024, pp. 1–7. doi: 10.1109/ACOIT62457.2024.10941671.
J. Sen and S. Dasgupta, “Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact,” in Information Security and Privacy in the Digital World - Some Selected Topics, J. Sen and J. Mayer, Eds., Rijeka: IntechOpen, 2023. doi: 10.5772/intechopen.112442.
N. Carlini and D. Wagner, “Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods,” in Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, in AISec ’17. New York, NY, USA: Association for Computing Machinery, 2017, pp. 3–14. doi: 10.1145/3128572.3140444.
J. Sen, A. Sen, and A. Chatterjee, “Adversarial Attacks on Image Classification Models: Analysis and Defense,” 2023. doi: 10.13140/RG.2.2.29593.19044/2.
T. Bai, J. Luo, J. Zhao, B. Wen, and Q. Wang, “Recent Advances in Adversarial Training for Adversarial Robustness,” Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21), Feb. 2021, doi: 10.24963/ijcai.2021/591.
N. A. S, V. Chaturvedi, and M. Shafique, “S-E Pipeline: A Vision Transformer (ViT) based Resilient Classification Pipeline for Medical Imaging Against Adversarial Attacks,” in 2024 International Joint Conference on Neural Networks (IJCNN), 2024, pp. 1–8. doi: 10.1109/IJCNN60899.2024.10650591.
N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks,” 2016 IEEE Symposium on Security and Privacy (SP), Nov. 2015, doi: 10.1109/SP.2016.41.
S. Y. Khamaiseh, D. Bagagem, A. Al-Alaj, M. Mancino, and H. W. Alomari, “Adversarial Deep Learning: A Survey on Adversarial Attacks and Defense Mechanisms on Image Classification,” 2022, Institute of Electrical and Electronics Engineers Inc. doi: 10.1109/ACCESS.2022.3208131.
A. Krizhevsky, “Learning Multiple Layers of Features from Tiny Images,” 2009. [Online]. Available: https://api.semanticscholar.org/CorpusID:18268744
G. Dong, H. Boström, M. Vazirgiannis, and R. Bresson, “Obtaining Example-Based Explanations from Deep Neural Networks,” 2025. doi: 10.1007/978-3-031-91398-3_32.
K. Chowdhury, “Adversarial Machine Learning: Attacking and Safeguarding Image Datasets,” Proceedings of the Fourth International Conference on Ubiquitous Computing and Intelligent Information Systems (ICUIS-2024), Jan. 2025, doi: 10.1109/ICUIS64676.2024.10866337.
K. Alomar, H. I. Aysel, and X. Cai, “Data Augmentation in Classification and Segmentation: A Survey and New Strategies,” J Imaging, vol. 9, no. 2, Feb. 2023, doi: 10.3390/jimaging9020046.
B. Rahman, F. Fauzi, and S. Amri, “Perbandingan Hasil Klasifikasi Data Iris menggunakan Algoritma K-Nearest Neighbor dan Random Forest,” 2023. [Online]. Available: http://journalnew.unimus.ac.id/index.php/jodi
E. Ilmiyah and A. Bahtiar, “PENERAPAN ALGORITMA K-MEANS CLUSTERING UNTUK MENGELOMPOKKAN DATA MAHASISWA BARU,” 2024.
L. El Fattahi and E. H. Sbai, “Clustering using kernel entropy principal component analysis and variable kernel estimator,” International Journal of Electrical and Computer Engineering, vol. 11, no. 3, pp. 2109–2119, Jun. 2021, doi: 10.11591/ijece.v11i3.pp2109-2119
