Purifying Adversarial Examples Using an Autoencoder

Thijs van Weezel; Famke van Ree; Tychon Bos; Patrick Bastiaanssen; Sibylle Hess

doi:10.1007/978-3-031-78980-9_9

Purifying Adversarial Examples Using an Autoencoder

Thijs van Weezel (Corresponding author)
, Famke van Ree
, Tychon Bos
, Patrick Bastiaanssen
, Sibylle Hess

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

Abstract

One of the most prominent security challenges to neural networks are adversarial examples - inputs with often barely perceptible perturbations causing misclassification. In this study, we propose a defense mechanism that uses an autoencoder to restore adversarial examples before classification. That is, the autoencoder purifies input data points from potential adversarial perturbations. The method is titled Autoencoder-based Adversarial Purification (AAP). We demonstrate the effectiveness of AAP on multiple datasets, attack methods, and perturbation levels. While certain limitations exist, this research offers valuable insights and a promising direction for robust defense mechanisms in adversarial deep learning.

Original language	English
Title of host publication	Discovery Science - 27th International Conference, DS 2024, Proceedings
Editors	Dino Pedreschi, Anna Monreale, Riccardo Guidotti, Francesca Naretto, Roberto Pellungrini
Publisher	Springer
Pages	134-148
Number of pages	15
ISBN (Electronic)	9783031789809
ISBN (Print)	9783031789793
DOIs	https://doi.org/10.1007/978-3-031-78980-9_9
Publication status	Published - 25 Jan 2025
Event	27th International Conference on Discovery Science, DS 2024 - Pisa, Italy Duration: 14 Oct 2024 → 16 Oct 2024

Publication series

Name	Lecture Notes in Computer Science
Volume	15244
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Name	Lecture Notes in Artificial Intelligence
Volume	15244

Conference

Conference	27th International Conference on Discovery Science, DS 2024
Country/Territory	Italy
City	Pisa
Period	14/10/24 → 16/10/24

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

Keywords

adversarial attack
autoencoder
purification

Access to Document

10.1007/978-3-031-78980-9_9

Cite this

van Weezel, T., van Ree, F., Bos, T., Bastiaanssen, P., & Hess, S. (2025). Purifying Adversarial Examples Using an Autoencoder. In D. Pedreschi, A. Monreale, R. Guidotti, F. Naretto, & R. Pellungrini (Eds.), Discovery Science - 27th International Conference, DS 2024, Proceedings (pp. 134-148). (Lecture Notes in Computer Science; Vol. 15244), (Lecture Notes in Artificial Intelligence; Vol. 15244). Springer. https://doi.org/10.1007/978-3-031-78980-9_9

van Weezel, Thijs ; van Ree, Famke ; Bos, Tychon et al. / Purifying Adversarial Examples Using an Autoencoder. Discovery Science - 27th International Conference, DS 2024, Proceedings. editor / Dino Pedreschi ; Anna Monreale ; Riccardo Guidotti ; Francesca Naretto ; Roberto Pellungrini. Springer, 2025. pp. 134-148 (Lecture Notes in Computer Science). (Lecture Notes in Artificial Intelligence).

@inproceedings{2a163538c0bd40c38d5c121fb1137dce,

title = "Purifying Adversarial Examples Using an Autoencoder",

abstract = "One of the most prominent security challenges to neural networks are adversarial examples - inputs with often barely perceptible perturbations causing misclassification. In this study, we propose a defense mechanism that uses an autoencoder to restore adversarial examples before classification. That is, the autoencoder purifies input data points from potential adversarial perturbations. The method is titled Autoencoder-based Adversarial Purification (AAP). We demonstrate the effectiveness of AAP on multiple datasets, attack methods, and perturbation levels. While certain limitations exist, this research offers valuable insights and a promising direction for robust defense mechanisms in adversarial deep learning.",

keywords = "adversarial attack, autoencoder, purification",

author = "\{van Weezel\}, Thijs and \{van Ree\}, Famke and Tychon Bos and Patrick Bastiaanssen and Sibylle Hess",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 27th International Conference on Discovery Science, DS 2024 ; Conference date: 14-10-2024 Through 16-10-2024",

year = "2025",

month = jan,

day = "25",

doi = "10.1007/978-3-031-78980-9\_9",

language = "English",

isbn = "9783031789793",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "134--148",

editor = "Dino Pedreschi and Anna Monreale and Riccardo Guidotti and Francesca Naretto and Roberto Pellungrini",

booktitle = "Discovery Science - 27th International Conference, DS 2024, Proceedings",

address = "Germany",

}

van Weezel, T, van Ree, F, Bos, T, Bastiaanssen, P & Hess, S 2025, Purifying Adversarial Examples Using an Autoencoder. in D Pedreschi, A Monreale, R Guidotti, F Naretto & R Pellungrini (eds), Discovery Science - 27th International Conference, DS 2024, Proceedings. Lecture Notes in Computer Science, vol. 15244, Lecture Notes in Artificial Intelligence, vol. 15244, Springer, pp. 134-148, 27th International Conference on Discovery Science, DS 2024, Pisa, Italy, 14/10/24. https://doi.org/10.1007/978-3-031-78980-9_9

Purifying Adversarial Examples Using an Autoencoder. / van Weezel, Thijs (Corresponding author); van Ree, Famke; Bos, Tychon et al.
Discovery Science - 27th International Conference, DS 2024, Proceedings. ed. / Dino Pedreschi; Anna Monreale; Riccardo Guidotti; Francesca Naretto; Roberto Pellungrini. Springer, 2025. p. 134-148 (Lecture Notes in Computer Science; Vol. 15244), (Lecture Notes in Artificial Intelligence; Vol. 15244).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Purifying Adversarial Examples Using an Autoencoder

AU - van Weezel, Thijs

AU - van Ree, Famke

AU - Bos, Tychon

AU - Bastiaanssen, Patrick

AU - Hess, Sibylle

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1/25

Y1 - 2025/1/25

N2 - One of the most prominent security challenges to neural networks are adversarial examples - inputs with often barely perceptible perturbations causing misclassification. In this study, we propose a defense mechanism that uses an autoencoder to restore adversarial examples before classification. That is, the autoencoder purifies input data points from potential adversarial perturbations. The method is titled Autoencoder-based Adversarial Purification (AAP). We demonstrate the effectiveness of AAP on multiple datasets, attack methods, and perturbation levels. While certain limitations exist, this research offers valuable insights and a promising direction for robust defense mechanisms in adversarial deep learning.

AB - One of the most prominent security challenges to neural networks are adversarial examples - inputs with often barely perceptible perturbations causing misclassification. In this study, we propose a defense mechanism that uses an autoencoder to restore adversarial examples before classification. That is, the autoencoder purifies input data points from potential adversarial perturbations. The method is titled Autoencoder-based Adversarial Purification (AAP). We demonstrate the effectiveness of AAP on multiple datasets, attack methods, and perturbation levels. While certain limitations exist, this research offers valuable insights and a promising direction for robust defense mechanisms in adversarial deep learning.

KW - adversarial attack

KW - autoencoder

KW - purification

UR - https://www.scopus.com/pages/publications/85219196330

U2 - 10.1007/978-3-031-78980-9_9

DO - 10.1007/978-3-031-78980-9_9

M3 - Conference contribution

AN - SCOPUS:85219196330

SN - 9783031789793

T3 - Lecture Notes in Computer Science

SP - 134

EP - 148

BT - Discovery Science - 27th International Conference, DS 2024, Proceedings

A2 - Pedreschi, Dino

A2 - Monreale, Anna

A2 - Guidotti, Riccardo

A2 - Naretto, Francesca

A2 - Pellungrini, Roberto

PB - Springer

T2 - 27th International Conference on Discovery Science, DS 2024

Y2 - 14 October 2024 through 16 October 2024

ER -

van Weezel T, van Ree F, Bos T, Bastiaanssen P, Hess S. Purifying Adversarial Examples Using an Autoencoder. In Pedreschi D, Monreale A, Guidotti R, Naretto F, Pellungrini R, editors, Discovery Science - 27th International Conference, DS 2024, Proceedings. Springer. 2025. p. 134-148. (Lecture Notes in Computer Science). (Lecture Notes in Artificial Intelligence). doi: 10.1007/978-3-031-78980-9_9