Received February 27, 2022, accepted March 14, 2022, date of publication March 16, 2022, date of current

version March 31, 2022.

Digital Object Identifier 10.1109/ACCESS.2022.3160283

ARGAN: Adversarially Robust Generative

Adversarial Networks for Deep
Neural Networks Against
Adversarial Examples
SEOK-HWAN CHOI 1 , JIN-MYEONG SHIN1 , PENG LIU 2, (Member, IEEE),
AND YOON-HO CHOI 1 , (Member, IEEE)
1 School of Computer Science and Engineering, Pusan National University, Busan 46241, Republic of Korea
2 College of Information Sciences and Technology, Pennsylvania State University, State College, PA 16801, USA
Corresponding author: Yoon-Ho Choi ([email protected])
This work was supported in part by BK21 FOUR, the Korean Southeast Center for the 4th Industrial Revolution Leader Education, in part
by the National Research Foundation of Korea (NRF) Grant by the Korean Government (MSIT) under Grant NRF-2021R1F1A1049655,
and in part by the Institute of Information and Communications Technology Planning and Evaluation (IITP) Grant by the Korean
Government (MSIT) (Regional strategic industry convergence security core talent training business) under Grant 2019-0-01343.

ABSTRACT An adversarial example, which is an input instance with small, intentional feature perturbations
to machine learning models, represents a concrete problem in Artificial intelligence safety. As an emerging
defense method to defend against adversarial examples, generative adversarial networks-based defense
methods have recently been studied. However, the performance of the state-of-the-art generative adversarial
networks-based defense methods is limited because the target deep neural network models with generative
adversarial networks-based defense methods are robust against adversarial examples but make a false
decision for legitimate input data. To solve the accuracy degradation of the generative adversarial networks-
based defense methods for legitimate input data, we propose a new generative adversarial networks-based
defense method, which is called Adversarially Robust Generative Adversarial Networks(ARGAN). While
converting input data to machine learning models using the two-step transformation architecture, ARGAN
learns the generator model to reflect the vulnerability of the target deep neural network model against
adversarial examples and optimizes parameter values of the generator model for a joint loss function. From
the experimental results under various datasets collected from diverse applications, we show that the accuracy
of ARGAN for legitimate input data is good-enough while keeping the target deep neural network model
robust against adversarial examples. We also show that the accuracy of ARGAN outperforms the accuracy
of the state-of-the-art generative adversarial networks-based defense methods.

INDEX TERMS Adversarial examples, adversarial perturbation, deep neural networks (DNNs), security.

I. INTRODUCTION bations, adversarial example largely changes the output value

As a severe security problem of deep learning technology, the given by neural networks. As a result, this kind of security
notion of adversarial example was introduced in 2013 [1]. problem for the target deep neural network (DNN) model
With the evolution of deep learning technology, adversarial causes severe damage to the artificial intelligent (AI) systems
example has recently been highlighted as the most severe such as self-driving systems [3], bio-medicine systems [4],
problem of deep learning technology [2]. While modifying and user authentication systems [5]–[8] which are sensitive
legitimate input data with slight human-imperceptible pertur- to small variation in accuracy.
To defend the target DNN model against adversarial
The associate editor coordinating the review of this manuscript and examples, generative adversarial networks (GANs)-based
approving it for publication was Ilsun You . defense methods have actively been studied as an emerging
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
33602 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
effective defense technology [9], [10]. The existing GAN-
based defense methods are grouped into one of two types
of architectures according to the design purpose of the
generator, i.e., noise generation architecture and noise
reduction architecture. Note that given a training dataset,
GAN learns to generate new data with the same statistics as
the training dataset using two deep networks, which are the
generator and the discriminator. The generator in the noise
generation architecture produces the corrupted input data.
While training DNN models by using both the corrupted
input data and legitimate input data, the noise generation
architecture makes DNN models robust against adversarial
examples [11], [12]. On the other hand, the generator in the
noise reduction architecture produces the purified input data
whose data distribution is close to the legitimate input data
distribution [13], [14]. Thus, the noise reduction architecture
results in reducing the perturbation of adversarial examples
before feeding input data into the target DNN model.
However, the accuracy of such GAN-based defense meth-
ods can decrease when predicting or classifying legitimate
input data. This is because GAN-based defense methods
using the noise generation architecture or the noise reduction
architecture use the slightly modified input data, i.e., the
corrupted input data in the noise generation architecture and
the purified input data in the noise reduction architecture.
While the target DNN model is robust against adversarial
examples due to the modified input data, it can make wrong
decision for legitimate input data and thus, generates the
false positives for legitimate input data. If such GAN-
based defense methods which cause the wrong decision are
used at self-driving systems, bio-medicine systems, and user
authentication systems [6]–[8] which are sensitive to small
accuracy variation, significant side effects can be caused.
To solve the accuracy degradation of the existing GAN-
based defense methods for legitimate input data while
keeping the target DNN model robust against adversarial
examples, we propose a new GAN-based defense method,
which is called Adversarially Robust GAN (ARGAN).
Similar to EEJE [15], the proposed ARGAN architecture is
designed following two-step transformation of input data to
the target DNN model. That is, in the first transformation
step, the noise data is added into the input data to the
target DNN model and in the second transformation step,
the inverse noise data is added to eliminate the influence
of the noise added from the first transformation step on
the output. However, ARGAN is designed using a black-
box transformation method different from a white-box
transformation method of EEJE. That is, while EEJE requires
knowledge of the network architecture, weight values and
other parameters of the target DNN model when generating
the noise data in the first transformation step, ARGAN
does not require complete knowledge of model because it
uses a pre-trained generator as the transformation method.
Specifically, in the first transformation step, the generator
produces the robust input data against adversarial examples
while reflecting the vulnerability of the target DNN model
VOLUME 10, 2022
to adversarial examples and presenting a new joint loss
function to optimize the parameter values of the generator.
In the second transformation step, the robust input data are
transformed into feeding input data to the target DNN model
using the additive inverse of the generator.
Compared to the other state-of-the-art GAN-based defense
methods, ARGAN shows the good accuracy for both
legitimate input data and adversarial examples. From the
experimental results under various datasets collected from
diverse applications, we show that the accuracy of ARGAN
for legitimate input data is good-enough while keeping the
DNN model robust against adversarial examples. We also
show that the accuracy of ARGAN outperforms the accuracy
of the state-of-the-art GAN-based defense methods using
noise generation architecture and noise reduction archi-
tecture, e.g., Gandef [12], Defense-GAN [13] and APE-
GAN [14].
The rest of the paper is organized as follows. In section II,
the authors overview the well-known adversarial attacks and
the state-of-the-art GAN-based defense methods. Also the
authors describe the motivation of this paper. In section III,
the authors describe the threat model, the overall operation
and the details of ARGAN. In section IV, the authors
verify the effectiveness(accuracy) of ARGAN from various
experimental results under different adversarial attacks,
different datasets and so on. Finally, the authors conclude this
paper in section V.
II. PRELIMINARIES AND RELATED WORKS
In this section, after introducing well-known adversarial
attacks, we overview previous GAN-based defense methods.
We also describe the motivation for considering a new GAN-
based defense method by explaining the limitations of the
previous GAN-based defense methods.
A. ADVERSARIAL ATTACKS
In this section, we summarize the characteristics of four
adversarial attacks [16]–[19], which are frequently used for
performance verification in many defense methods.
Based on linearization of cost functions, Fast Gradient Sign
Method (FGSM) generates adversarial examples using the
sign of the gradient to increase loss of DNN models [16].
FGSM is a simple and fast adversarial attacks, but it often
makes sub-optimal perturbations. To resolve the problem
of FGSM, Projected Gradient Descent (PGD) generates
adversarial examples using several gradient updates for
the fine optimization [17]. To perform fine optimization
efficiently, PGD performs iterative gradient updates from
randomly selected an initial point. To calculate minimal
perturbation, DeepFool used the iterative linearization of the
target DNN model [18]. In each iteration, the adversarial
perturbation is updated to reach the decision boundary
closest to the input data X . To increase attack success rate
while calculating the minimum perturbation, C&W generates
adversarial examples based on various distance metrics such
as L0 , L∞ and L2 norm [19]. In this paper, only L2 type of
33603

C&W method (CW) is considered as a representative method
because it is most frequently mentioned in other works [20],
[21].
B. GAN-BASED DEFENSE METHODS
1) GAN-BASED DEFENSE METHODS USING NOISE
GENERATION ARCHITECTURE
To make DNN models more robust against adversarial
examples, the noise generation architecture uses the GANs
to train the robust DNN model or retrain the current deployed
DNN models.
Lee et al. used a GAN framework to make a DNN
model more robust against adversarial examples [22]. They
trained the generator to produce data corresponding to the
weaknesses of the target DNN model, and retrained the
DNN model using the data produced by the generator.
Liu and Hsieh proposed a training framework, called Rob-
GAN, based on the insight that adversarial training and
GANs complement each other [23]. In Rob-GAN, the
generator and the discriminator are jointly optimized in
the presence of adversarial attacks. Sun et al. used GAN-
based data augmentation approach to improve the adversarial
training [11]. They designed the generator to produce
boundary samples for the target DNN model, and used the
produced boundary samples for adversarial training. Liu et al.
proposed GanDef, which is a GAN-based adversarial training
method that utilizes a discriminator as the regularization of
the feature selection [12]. Even though these defense methods
provided good robustness against adversarial examples, they
require a lot of costs while training the new robust DNN
models or retraining the current deployed DNN models.
2) GAN-BASED DEFENSE METHODS USING NOISE
REDUCTION ARCHITECTURE
To make adversarial examples less threatened, the noise
reduction architecture reduces perturbation of adversarial
examples before feeding into DNN model.
Samangouei et al. proposed a defense method utilizing
GANs, called Defense-GAN, to make the generator distribu-
tion closer to the data distribution [13]. To find the input data
of generator, they performed the gradient descent iteratively.
Defense-GAN especially worked well for the black-box
attack as well as the white-box attack. Shen et al. proposed the
APE-GAN, which eliminate the adversarial perturbation of
the input data using GANs [14]. They designed the generator
loss that combines content loss and adversarial loss to make
the adversarial examples highly consistent with legitimate
data distribution. APE-GAN worked well without knowledge
of architecture and parameters of the target DNN model.
Santhanam and Grnarova proposed a GAN-based defense
method, called cowboy, for detection and purification of
adversarial examples [24]. They used a discriminator to detect
the adversarial examples, and used a generator to purify
the detected adversarial examples. Also, they showed that
adversarial examples lie outside of the data distribution.
33604
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
Su et al. proposed a new training framework for GANs
to remove the adversarial perturbation in face verification
field [25]. To improve the performance of the generator,
they used two pre-trained classification networks instead
of a discriminator. Hwang et al. proposed a Variational
Autoencoder(VAE)-based defense method, called PuVAE,
to purify adversarial examples [26]. They used a dilated
Convolutional Neural Networks(CNNs) as a generator to
prevent the information loss from feature selection. Given
a reasonable time constraints, PuVAE showed outstanding
performance compared to Defense-GAN.
3) LIMITATION OF PREVIOUS GAN-BASED DEFENSE
METHODS
Some artificial intelligent systems such as a cloud-based
user authentication system can be exposed to adversarial
examples. In other words, the adversary can perform an
adversarial attack to change the output of DNN model f (·).
When the adversarial attack h(·) and a legitimate input data
X is given, the objective function of the adversary can be
expressed into:
min Pr(l 0 = l)
h(·)
s.t. l 0 = f ◦ h(X ),
l = f (X ). (1)
To defend against adversarial examples h(X ) in Equation 1,
the artificial intelligence system can apply a defense method.
For example, let us consider the artificial intelligence
system that applies GAN-based defense method using noise
reduction architecture as a defense method. To preserve the
output of DNN model f (·), the generator G in the noise
reduction architecture transforms the adversarial example
into the purified input data. When the adversarial attack h(·)
and a legitimate input data X is given, the objective function
of the defense method can be expressed into:
max Pr(l 0 = l)
G(·)
s.t. l 0 = f ◦ G ◦ h(X ),
l = f ◦ G(X ). (2)
However, since such defense method transforms even the
legitimate input data X while removing perturbations of
adversarial examples, it may decrease the accuracy of the
artificial intelligence system for the legitimate input data.
The decrease in accuracy for the legitimate input data may
be more sensitive than the increase in robustness for the
adversarial examples in specific applications, such as self-
driving car and user authentication. In other words, the
small decrease in accuracy for the legitimate input data can
determine whether to apply defense methods for adversarial
examples.
For a more specific explanation of why the accuracy
for legitimate input data is decreased, let us consider the
artificial intelligence system that applies APE-GAN, which
is a representative method of noise reduction architecture,
VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
FIGURE 1. Ten legitimate images randomly selected from CIFAR-10 test dataset, where each image is transformed using APE-GAN.
FIGURE 2. Data distribution of legitimate input data and feeding input
data to the target DNN model under no adversarial attacks. Here,
1000 test data randomly selected from CIFAR-10 test dataset were used
for input data on ResNet-20 model and the term ‘Euclidean similarity’
represents the average euclidean similarity between legitimate input data
and feeding input data.
as a defense method. Some examples of APE-GAN from
CIFAR-10 test dataset [27] under no adversarial attacks are
shown in Fig. 1. Here, the legitimate input data represents the
randomly selected samples for each class, the feeding input
data represents the transformed input data by APE-GAN and
the difference represents difference in the legitimate input
data and the feeding input data. From ‘‘difference’’ in Fig. 1,
it is observed that most of the pixels of the legitimate input
data are transformed by APE-GAN even though adversarial
attacks do not occur. Note that the transformed pixels corrupt
key features that directly affect classification. In Fig. 2,
we show the data distribution of legitimate input data and
feeding input data. It is observed that data distribution of the
feeding input data, transformed by APE-GAN, is different
from that of the legitimate input data. Such difference causes
the degradation of classification accuracy. These observations
motivate us to seek a new GAN-based defense method which
provides the good accuracy not only for the adversarial
example but also for the legitimate input data.
III. PROPOSED METHOD
In this section, we overview the operation of ARGAN in
detail. First, after introducing the targeted threat model, the
overall operation and the objective function of ARGAN
VOLUME 10, 2022
are described. Next, we describe the GAN architecture of
ARGAN along with a joint loss consisting of adversarial
loss, distance loss and target loss. Finally, each operation of
ARGAN is described with specific examples in detail.
A. THREAT MODEL
Let us consider a cloud-based user authentication system
for Machine Learning as a Service(MLaaS). By using the
trained DNN model, the cloud-based user authentication
systems such as SMARTLET [6], FACECUBE [7], and
MOCHA [8] predict the identity of the transmitted face
image. In the legitimate situation without adversarial attacks,
a user face image is taken by IP camera or smartphone
at the client. The user face image is transmitted to the
cloud-based face recognition server through either the
unencrypted or encrypted session. As a result, the cloud-
based face recognition server returns a normal prediction
result. However, under the man-in-the-middle(MITM) threat,
an adversary secretly alters the communications between two
parties who believe that they are directly communicating
with each other [28]. Even though the user face image is
transmitted through the encrypted session, an adversary still
can easily bypass it using state-of–the-art MITM threats
based on Renegotiation, Version Rollback and so on [29],
[30]. After the legitimate session between the client and
the cloud-based face recognition server is altered through
an MITM attack, the adversary modifies the legitimate face
image with slight perturbations. Here, it is assumed that the
adversary has complete access to target DNN model in cloud
server. In other words, the adversary can get the architecture
and parameters of target DNN model. As a result, adversary
can relay the perturbed face image to the cloud-based face
recognition server instead of the legitimate face image. Since
the outputs given by neural networks for the legitimate face
image and the perturbed face image are largely different,
the cloud-based face recognition server returns an abnormal
prediction result.
In this threat model, the goal of the defender is to provide
the robustness against adversarial attacks. It is assumed that
the defender can be the administrator of the cloud-based
face recognition server. Also it is assumed that the defender
33605

has trained the defense model for their system and has pre-
deployed it to the IP camera or smartphone at the client.
B. OVERALL OPERATION OF ARGAN
Different from the previous GAN-based defense methods,
ARGAN performs two-step input transformation before feed-
ing the input data into DNN models. The first transformation
is performed on the client side and the second transformation
is performed on the cloud server side. Overall defense
operation procedures are as follows:
1) The client performs the first transformation which
transforms the legitimate input data X into the robust
input data Xr using the generator G before transmitting
the data to the cloud server.
2) The cloud server performs the second transformation,
which restores the key features corrupted by the
generator G in the first transformation before feeding
the data to the DNN model.
When the adversarial attack h(·) and a legitimate input data
X are given, the objective function of ARGAN is expressed
into:
min max Pr(l 0 = l) + kXf −X k2
Xf G(·)
0 −1
s.t. l = f ◦ G ◦ h ◦ G(X ),
l = f ◦ G−1 ◦ G(X ) = f (X ), (3)
where G(·) is the first transformation performed by the gen-
erator on the client side, G−1 (·) is the second transformation
performed on the server side, and kXf −X k2 is a difference
in Xf and the legitimate input data X . Here, Xf represents a
feeding input data of DNN model and is defined as follow
according to whether adversarial attack h(·) occurs:
( The adversarial loss ladv measures the discriminator error
G−1 ◦ h ◦ G(X ), if h(·) is occurred;
Xf = (4)
G ◦ G(X ) = X , otherwise.
−1
Note that, different from the previous GAN-based defense
methods, ARGAN shows the good accuracy for legitimate
input data. As shown in Equations. 3 and 4, if adversarial
attack h(·) do not occur, DNN models in ARGAN return the
same result as DNN model with no defense method. This
is because the second transformation, G−1 (·), is the additive
inverse of the first transformation G(·) for a legitimate input
data X .
C. GAN ARCHITECTURE OF ARGAN
The goal of ARGAN is to provide the accuracy for legitimate
input data is good-enough while keeping the DNN model
robust against adversarial example.
To achieve this, the generator of ARGAN is designed by
reflecting the vulnerability of target DNN model. That is, the
generator of ARGAN learns the distribution of robust input
data Xr and produces the robust input data Xr with a given X
as its input data. Here, the robust input data Xr is defined as
follow:
Definition 1 (Robust Input Data): Let X be a given input
data and f be a target DNN model. Let H be a set of
33606
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
adversarial attacks, say H = {FGSM, PGD, DeepFool, C&W
}, it is said to the robust input data Xr if it has the following
characteristic:
arg max f · p−1 · h(Xr )
= arg max f (X ) for ∀h ∈ H
s.t. Xr = p(X ), (5)
where p(·) is a conversion function which adds the random
noise to the input data X , and p−1 (·) is an inverse function of
p(·), which restores the input data X transformed by p(·). Note
that it is difficult for random noise to satisfy Definition 1 for
all H . Therefore, we obtained Xr through several experiments
using various sizes and types of noise.
On the other hand, a discriminator of ARGAN is trained
to distinguish the transformed input data G(X ) by generator
from robust input data Xr . In other words, a discriminator
encourages the transformed input data G(X ) to better reflect
the features of the robust input data Xr . Thus, the generator
and discriminator of ARGAN is defined to solve the
adversarial zero sum problem as follow:
min max [EXr ∼pdata (Xr ) log DθD (Xr )
θG θD
− EX ∼pdata (X ) log(DθD (GθG (X )))], (6)
where θG and θD represent the parameters of generator G and
discriminator D, respectively.
In Equation 6, the parameter θG can be obtained by
optimizing the generator loss function. Here, the generator
loss function lG is defined as a joint loss consisting of a
adversarial loss, a distance loss and a target loss as shown
in Fig. 3.
for the transformed input data G(X ) and is calculated as
follow:
ladv = 1 − log(D(G(X )), (7)
which encourages the generator distribution to match the
robust input data distribution for N number of training data.
The distance loss ldist measures the difference between the
transformed input data G(X ) and the robust input data Xr and
is calculated as follow:
ldist = d(G(X ), Xr ), (8)
where d(·) is a distance function that measures the similarity
between the transformed input data G(X ) and the robust input
data Xr . The L2 distance is used so that G(X ) matches Xr even
the key features. That is, the distance loss ldist encourages
the internal representation of the transformed input data G(X )
match to that of the robust input data Xr .
The target loss ltarget measures the error of the target DNN
model and is calculated as follow:
ltarget = log(f (r(G(X )) − (G(X ) − X ), y)), (9)
where f (·) is a target DNN model, y is a class of the legitimate
input data X and r(·) is a random noise addition function
VOLUME 10, 2022
 S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples

FIGURE 3. Overall GAN architecture of ARGAN.

Algorithm 1 Client Side Operation Algorithm 2 Cloud Server Side Operation

Input: Input Data D Input: Xt , Pr
1 if isPreprocess then 11 if isEncryption then
2 X = preprocess(D) 12 Xr = decryption(Xt )
3 else 13 else
4 X =D 14 Xr = Xt
5 Xr = generate(X ) /* First transformation */ 15 Xf = Xr .remove(Pr ) /* Second transformation
6 Pr = Xr .remove(X ) if isEncryption then * /
7 Xt = encryption(Xr ) 16 R = evaluate(model, Xf )
8 else 17 if isEncryption then
9 Xt = Xr 18 Rt = encryption(R)
10 transmit(Server, Xt , Pr ) 19 else
20 Rt = R
21 transmit(Client, Rt )
that reflects the various vulnerabilities of target DNN model.
Here, r(G(X )) is not equal to G(X ) + r because all values of
r(G(X )) lies between 0 and 1 but some values of G(X ) + r D. CLIENT SIDE OPERATION
can exceed 1. In other words, the target loss encourages the The client performs the pre-processing and the first transfor-
generator to produce the robust input data which are resistant mation which transforms the legitimate input data X into the
to the adversarial attacks by reflecting the vulnerability of robust input data Xr using the generator G before transmitting
the target classifier while minimizing the impact on the the data to the cloud server. The operational details are shown
performance of the target classifier. in Algorithm 1. First, the client performs pre-processing for
Consequently, the generator loss function lG is defined as efficient analysis (Lines 1 to 4). For example, the client can
a weighted summation of the three loss functions: cut out unnecessary portions of the input data and resize it.
To make the legitimate input data X resistant to adversarial
lG = αladv + βldist + γ ltarget , (10)
attacks, the client transforms the legitimate input data X into
where α, β and γ are hyperparameters to control the training the robust input Xr using the generator of ARGAN (Line 5).
process. After performing experiments with various values of Also, the client calculates the perturbation Pr that is used
α, β and γ , we set the value of α, β and γ to 0.7, 0.3 and 0.2, to restore at the cloud server (Line 6). Before transmitting
respectively. to the cloud server, the client encrypts Xr to Xt if the client
On the other hand, the parameter θD can be obtained by communicates with the cloud server through the encrypted
optimizing the discriminator loss function. The goal of the connection (Line 7 to 10). Finally, the client transmits Xt and
discriminator is to distinguish between the transformed input Pr to the cloud server (Line 11).
data G(X ) by generator and the robust input data Xr . Thus,
the discriminator loss function lD can be defined as follow: E. CLOUD SERVER SIDE OPERATION
N
X The cloud server performs the second transformation, which
lD = − [log DθD (Xr ) + log DθD (GθG (X ))]. (11) restores the key features corrupted by the generator G in
n=1 the first transformation before feeding the data to the DNN

VOLUME 10, 2022 33607


FIGURE 4. Operational example of ARGAN under no adversarial attacks.
model. The operational details of the cloud server are shown
in Algorithm 2. After decrypting (or not) the input data Xt
transmitted from the client (Lines 1 to 4), the cloud server
performs the second transformation using the perturbation Pr
(Line 5). Pr is the additive inverse of the first transformation
and used to restore the key features. Here, the cloud server
does not know whether an adversarial attack has occurred.
If the adversarial attack does not occur, the legitimate input
data X is restored due to the inverse relationship between the
first transformation and the second transformation. Even if
the adversarial attack occurs, most of the key features are
restored by the second transformation. This is because the
key features which affect classification are already corrupted
by the generator, and it causes the magnitude of perturbation
added by the adversary to the robust input data Xr to be
smaller than the magnitude of perturbation added to the
legitimate input data X . After analyzing the feeding input data
Xf using DNN model (Line 6), the cloud server transmits the
encrypted analysis result Rt to the client (Lines 7 to 11).
F. OPERATIONAL EXAMPLE
In this section, we show some examples of how ARGAN
works using CIFAR-10 test dataset.
In Fig. 4a, we show an example of ARGAN for a truck
sample under no adversarial attacks. Before transmitting
to the cloud server, the client transforms a truck sample
and calculates the perturbation. Then, the client transmits
a transformed truck sample and a calculated perturbation
to the cloud server. The cloud server restores the truck
sample in the second transformation and feeds it to DNN
model to produce prediction result. Here, the DNN model
33608
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
produces correct prediction result because the truck sample is
completely restored at the second transformation. In Fig. 4b,
we also show some examples of ARGAN in the CIFAR-10
test dataset under no adversarial attacks. Here, the legitimate
input data represents the randomly selected samples for each
class, the feeding input data represents the restored input
data by ARGAN. From the ‘difference’ row in Fig. 4b,
it is observed that there is no difference between the
legitimate input data and the feeding input data because each
legitimate input data is completely restored by the second
transformation.
In Fig. 5a, we show a example of ARGAN for a truck
sample under DeepFool adversarial attack. The operation of
the client is the same as Fig. 4a. However, in this example,
the adversary generates the adversarial example for the
truck sample using DeepFool and transmits it to the cloud
server. Here, the magnitude of perturbation added by the
adversary is very small because the key features which affect
prediction are already corrupted when the client performs
the first transformation. Then, the cloud server performs
the second transformation for the adversarial example and
feeds it to DNN model. Even if the cloud server performs
the second transformation for the adversarial example, the
DNN model produces correct prediction result. This is
because most of the key features are restored at the second
transformation. In Fig. 5b, we also show some examples
of ARGAN in the CIFAR-10 test dataset under DeepFool
adversarial attack. As shown in the ‘difference’ row in Fig. 5b,
it is also observed that there is still no large difference
between the legitimate input data and the feeding input data
because the legitimate input data are restored by the second
transformation.
VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
FIGURE 5. Operational example of ARGAN under DeepFool adversarial attack.
IV. EVALUATION RESULTS
To show the effectiveness of ARGAN, we measured the
performance of ARGAN under various conditions including
various dataset and different adversarial attacks [16]–[19].
Specifically, the performance of ARGAN is evaluated by
answering the following questions:
• Does ARGAN show the better performance than the
other state-of-the-art defense methods?
• Does ARGAN show the good performance under
various datasets collected from diverse applications?
• How do different combinations of loss functions influ-
ence on the performance of ARGAN?
• Does ARGAN satisfy the basic sanity tests?
• Does ARGAN show the good performance under
adaptive attack scenario?
A. EXPERIMENTAL ENVIRONMENT
When evaluating the performance of ARGAN, the exper-
iments are performed using the CIFAR-10 color image
dataset [13]. CIFAR-10 dataset consists of 50,000 train-
ing images and 10,000 testing images corresponding to
VOLUME 10, 2022
10 classes. We used randomly selected 1000 data instances
from CIFAR-10 test dataset.
When measuring the influence of different adversarial
attacks on ARGAN and other defense methods, the parameter
values are set as follows: (1) 0.3 for the magnitude of
perturbation () in FGSM; (2) 10 and 0.3 for the number of
iterations (N ) and , respectively, in PGD; (3) 50 and 0.02 for
the maximum number of iterations and overshoot to prevent
updates from vanishing, respectively, in DeepFool; and (4)
0 for the parameter to control the confidence value(κ) in
C&W’s method. These parameter values are set following
the recommended configuration values from the cleverhans
library [32] and some representative works [20], [33].
The classification models are implemented using
TensorFlow-gpu version 1.15.1 and Python version 2.7.15,
and performed adversarial attacks by using the cleverhans
software library, which provides standardized reference
implementations of adversarial examples [32]. For the
efficient experiments, the performance is measured on the
Ubuntu 18.04.1 LTS machine with kernel version 4.15.0-36-
generic, 2.40GHz CPU clock(Intel Xeon CPU E5-2630 v3),
GeForce GTX 2080 Ti, and 32GB memory.
33609

TABLE 1. Comparison results with Gandef and APE-GAN using CIFAR-10 dataset.
FIGURE 6. Data distribution of legitimate input data and feeding input data under various adversarial attacks.
B. EXPERIMENTAL ANALYSIS
1) DOES ARGAN SHOW THE BETTER PERFORMANCE THAN
THE OTHER STATE-OF-THE-ART DEFENSE METHODS?
To compare the performance of ARGAN with other state-
of-the-art GAN-based defense methods, we measured the
classification accuracy of the Gandef [12] using noise
generation and APE-GAN [14] using noise reduction. Since
most of the-state-of-the-art GAN-based defense methods do
not provide implementation guidance, Gandef and APE-GAN
are selected for comparison with ARGAN. For GanDef,
we used ZK-GanDef [31] which adds a gaussian perturbation
with mean µ = 0 and standard deviation σ = 1. For APE-
GAN, we used FGSM, PGD, DeepFool and C&W method to
generate adversarial input data.
In Table 1, it is observed that the classification accuracy
of GanDef and APE-GAN decreased for legitimate input
data. For example, while the classification accuracy of
GanDef and APE-GAN decreased by as much as 80.12% and
33610
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
29.5%, respectively, ARGAN showed the same classification
accuracy by as much as 90.93% under no adversarial attacks.
Also, ARGAN showed higher classification accuracy against
various adversarial attacks than GanDef and APE-GAN. Even
though GanDef showed the higher classification accuracy
than ARGAN against FGSM, the classification accuracy of
GanDef against PGD, DeepFool and C&W perturbations
was lower than ARGAN. Especially, GanDef showed signif-
icantly lower classification accuracy than ARGAN against
state-of-the-art adversarial attacks such as DeepFool and
C&W method. Also, the classification accuracy of APE-GAN
showed lower classification accuracy against most of the
adversarial attacks than ARGAN.
In Fig. 6, it is observed that the comparison results with
APE-GAN for the data distribution of the legitimate input
data and the feeding input data. Under no adversarial attacks
as shown in Fig. 6a, ARGAN showed the better similarity
of the data distribution than APE-GAN. Here, a Euclidean
VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples

TABLE 2. Comparison results with Gandef and APE-GAN using MNIST dataset.

similarity of 1 means that the legitimate input data and the TABLE 3. Comparison results with Defense-GAN and APE-GAN using
CelebA dataset.
feeding input data are perfectly the same. In other words,
it means ARGAN can restore legitimate input data perfectly.
Also it is observed that ARGAN shows the better similarity
of the data distribution for most adversarial attacks than APE-
GAN. Especially, as shown in Fig. 6(d) and Fig. 6(e), the data
distribution of feeding input data in ARGAN for the state-
of-the-art adversarial examples generation methods, such as
DeepFool and C&W methods, are almost similar to that of
legitimate input data.
Result 1: ARGAN showed good outputs for legitimate
input data as well as adversarial examples than state-of-
the-art defense methods. These observations imply that
ARGAN can be used as a stand-alone defense method
against various adversarial attacks.

2) DOES ARGAN SHOW THE GOOD PERFORMANCE UNDER

VARIOUS DATASETS COLLECTED FROM DIVERSE
APPLICATIONS?
To show how effective ARGAN is under various datasets,
additional experiments are performed using MNIST
dataset [34] and CelebA dataset [35]. MNIST dataset is
grayscale hand-written digits dataset and consists of 60,000
training images and 10,000 testing images corresponding
to 10 classes. CelebA dataset is one of the most widely
used dataset for facial attributes classification and consists
of 162,770 training images and 19,867 testing images
corresponding to 2 classes(Gender).
For MNIST dataset, the classification accuracy of ARGAN
is compared with Gandef [12] and APE-GAN [14]. In Table 2,
only ARGAN showed the same classification accuracy for
legitimate input data. Also, ARGAN still showed higher
classification accuracy against state-of-the-art adversarial
attacks such as DeepFool and C&W method. For example,
while Gandef and APE-GAN against DeepFool showed
the classification accuracy as much as 7.47% and 42.5%,
respectively, ARGAN showed the classification accuracy
by as much as 98.3%. However, ARGAN showed lower
classification accuracy against adversarial attacks with large
perturbation such as FGSM and PGD. The reasons are as
follows: ARGAN transforms the input data to reduce the
magnitude of perturbation added by the adversary. Such
transformation of ARGAN is effective for the adversarial
attacks, such as DeepFool and C&W methods, which are
aimed at adding minimal perturbation. However, it is less
FIGURE 7. Some examples from CelebA test dataset under various
adversarial attacks.
effective for the adversarial attacks, such as FGSM and
PGD, which add a random amount of perturbation (relatively
large) within a threshold. On the other hand, since GanDef
retrains DNN model using relatively large perturbation, such
as Gaussian noise, it is effective for FGSM and PGD, but
is less effective for DeepFool and C&W. Even GanDef
showed lower classification accuracy for DeepFool than non-
defense. In the case of APE-GAN, it showed the higher
classification accuracy for FGSM and PGD than ARGAN,
but the classification accuracy of APE-GAN significantly
decreased for legitimate input data.
For CelebA dataset, the classification accuracy of ARGAN
is compared with Defense-GAN and APE-GAN. Also, only
the C&W method is considered because the magnitude
of perturbation generated by FGSM, PGD, and DeepFool
is so large that it can be easily detected as shown in
Fig. 7. Here, we need to know that such attacks performed
against a binary classification model for gender classes.
In Table 3, as with MNIST dataset, only ARGAN showed
the same classification accuracy for legitimate input data.
Also, Defense-GAN and APE-GAN showed worse robustness
against C&W method than ARGAN. For example, while

VOLUME 10, 2022 33611


TABLE 4. Experimental results with the combinations of various loss functions on ARGAN using CIFAR-10 dataset.
FIGURE 8. Classification accuracy with the increase of magnitude of
FGSM perturbation.
ARGAN showed the classification accuracy by as much as
98% against C&W method, Defense-GAN and APE-GAN
showed the classification accuracy by as much as 43.8% and
96.5%, respectively.
Result 2: ARGAN shows the good-enough performance
under various datasets collected from diverse applica-
tions. These results imply that ARGAN can be applied to
various practical applications.
3) HOW DO DIFFERENT COMBINATIONS OF LOSS
FUNCTIONS INFLUENCE ON THE PERFORMANCE OF ARGAN?
To show the influence of different combination of loss
functions on ARGAN, the classification accuracy of target
DNN model is measured under the various adversarial
attacks. The evaluation results are summarized in Table 4.
First, the more the loss functions are combined, the higher
is the classification accuracy of target DNN model under
various adversarial attacks. Especially, ARGAN showed the
highest classification accuracy by as much as 41.5% on
average when all three loss functions were combined.
Second, it is observed that the loss function used in
APE-GAN is inadequate as the loss function of ARGAN.
Specifically, when ARGAN was trained with the loss
function of APE-GAN, it showed the classification accuracy
as much as 14.6% on average, which is lower than when
ARGAN was trained with the ladv alone. On the other hand,
33612
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
when ARGAN was trained with the loss function of DCGAN,
the target DNN model showed the similar classification
accuracy as the joint loss of ladv and ldist on average, but
lower than when ARGAN was trained with the joint loss
of ladv , ldist and ltarget . For example, while the classification
accuracy with the loss of DCGAN was 36.88% on average,
the classification accuracy with the joint loss of ladv , ldist and
ltarget measured into 40.25% on average.
Third, as observed from the last column in Table 4,
ARGAN showed no accuracy degradation for legitimate
input data. For example, ARGAN showed the same accuracy
as much as 90.93% regardless of the combinations of
loss functions. This is because the legitimate input data
are restored by using the perturbation Pr in the second
transformation.
Result 3: ARGAN shows the good-enough performance
when it was trained with the joint loss.
4) DOES ARGAN SATISFY THE BASIC SANITY TESTS?
To identify potential flaws of our evaluation results, the basic
sanity test of ARGAN is conducted as described in [36].
Specifically, we showed the results for the following items
in the basic sanity tests: (1) Verify increasing the magnitude
of perturbation strictly increases attack success rate; and
(2) With ‘‘large’’ magnitude of perturbation, classification
accuracy should reach levels of random guessing. the basic
sanity test is conducted using FGSM because it intuitively
shows the change in classification accuracy as the magnitude
of perturbation increases.
In Fig. 8, it is observed the classification accuracy of
ARGAN while gradually increasing the  of FGSM by
0.01 from 0.01 to 1.0. As a result of the first item, the classi-
fication accuracy of ARGAN decreased as the magnitude of
perturbation increased. Especially, the classification accuracy
of ARGAN rapidly decreased when the  was in the range
from 0.05 to 0.10. When the magnitude of perturbation was
greater than 0.15, the classification accuracy of ARGAN
no longer significantly decreased. These results were the
same in the non-defense model, but ARGAN showed the
higher classification accuracy than non-defense model when
the magnitude of adversarial perturbations was less than
0.15. As a result of the second item, ARGAN showed the
classification accuracy about 10% when the magnitude of
VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
TABLE 5. Classification accuracy of ARGAN under the various denoising techniques of the adversary.
perturbation was greater than 0.2. This means that ARGAN
reached levels of random guessing on CIFAR-10 dataset
which consist of 10 classes.
Result 4: ARGAN satisfies the basic sanity test while
providing good robustness than non-defense model.
5) DOES ARGAN SHOW THE GOOD PERFORMANCE UNDER
ADAPTIVE ATTACK SCENARIO?
To evaluate the performance of ARGAN under the worst-
case adversary, the performance of ARGAN is measured on
ResNet-20 for randomly selected 1000 data instances from
CIFAR-10 test dataset under the scenario where the adversary
is aware of ARGAN architecture. Note that, an adversary
may assume that input data has been processed at the
client, but does not know details of how to process input
data. In other words, the adversary has no direct access to
the first transformation. Instead, the adversary can mitigate
the effectiveness of the first transformation by applying
the denoising techniques. On the other hand, an adversary
can control the second transformation only when he/she
has complete access to the server. Thus, the classification
accuracy is measured under two attack scenarios: (1) a
white-box attack; and (2) a gray-box attack. For white-box
attack, an adversary has complete access to the server and
can bypass the second transformation. On the other hand,
for gray-box attack, where an adversary only knows the
parameter values used for training deep neural networks and
cannot bypass the second transformation. When measuring
the classification accuracy of ARGAN under two attack
scenarios, five denoising techniques are used to mitigate the
first transformation.
As shown in Table 5, the classification accuracy of
ARGAN decreased under both white-box and gray-box
attacks. For example, while the stand-alone ARGAN showed
the classification accuracy by as much as 40.65%, ARGAN
under white-box attack and gray-box attack showed the
classification accuracy by as much as 13.14% and 28.48%
VOLUME 10, 2022
on average, respectively. For gray-box attack, it is observed
that key features in input data are restored by the sec-
ond transformation even though the first transformation
is mitigated by the adversary. For example, even though
the adversary mitigates the first transformation with a bit
depth 5-bit filter, ARGAN showed the classification accuracy
by as much as 83.9% against DeepFool. For white-box
attack, the classification accuracy of ARGAN significantly
decreased by as much as 13.14%, but is still higher than non-
defense architecture. Also, ARGAN against DeepFool under
white-box attack showed the lower accuracy than ARGAN
against DeepFool under gray-box attack. For example, while
ARGAN against DeepFool under the gray-box attack showed
the classification accuracy by as much as 71.12% on
average, ARGAN against DeepFool under the white-box
attack showed the classification accuracy by as much as
16.46% on average.
Result 6: ARGAN effectively works even under the
adaptive attack scenario. Especially, ARGAN shows the
good enough performance under the gray-box attack.
V. CONCLUSION
With the evolution of deep learning technology, adversarial
example is mainly highlighted as one of the most severe
problem of deep learning technology. Especially, adversarial
example can cause severe damage on cloud-based deep
learning environment where a MITM attack can be occurred.
To defend such adversarial examples, two types of GAN-
based defense methods have actively been studied as an
emerging efficient defense methods: (1) noise generation
architecture; and (2) noise reduction architecture. However,
the accuracy of such GAN-based defense methods decreases
when predicting and classifying the legitimate input data.
In this paper, we propose ARGAN, a new GAN-based
defense method to provide good outputs for adversarial
examples as well as legitimate input data. The generator
in ARGAN produces robust input data by reflecting the
33613

vulnerability of the target DNN model while simultaneously
training with the discriminator. From evaluation results under
various experimental conditions, it is observed that ARGAN
provided robustness to target DNN models against various
state-of-the-art adversarial attacks while maintaining the
high accuracy even for legitimate input data. Also, it is
observed that ARGAN showed better performance than
the state-of-the-art GAN-based defense methods such as
Gandef, Defense-GAN and APE-GAN. From such results,
it is believed that ARGAN presented the necessity of various
studies on the GAN-based defense architecture.
REFERENCES
[1] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow,
and R. Fergus, ‘‘Intriguing properties of neural networks,’’ in Int. Conf.
Learn. Representations, 2014.
[2] T. Ray. (2020). Deep Learning Godfathers Bengio, Hinton, and
Lecun Say the Field Can Fix its Flaws. ZDNet. [Online]. Available:
https://www.zdnet.com/article/deep-learning-godfathers-bengio-hinton-
an%d-lecun-say-the-field-can-fix-its-flaws/
[3] M. Bojarski, D. D. Testa, D. Dworakowski, B. Firner, B. Flepp, P. Goyal,
L. D. Jackel, M. Monfort, U. Müller, J. Zhang, X. Zhang, J. Zhao,
and K. Zieba, ‘‘End to end learning for self-driving cars,’’ 2016,
arXiv:1604.07316.
[4] F. Amato, A. López, E. M. Peña-Méndez, P. Vanhara, A. Hampl,
and J. Havel, ‘‘Artificial neural networks in medical diagnosis,’’
J. Appl. Biomed., vol. 11, no. 2, pp. 47–58, 2013. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S1214021X14600570
[5] M. Shirvanian and N. Saxena, ‘‘Stethoscope: Crypto phones with
transparent & robust fingerprint comparisons using inter text-speech
transformations,’’ in Proc. 17th Int. Conf. Privacy, Secur. Trust (PST),
Aug. 2019, pp. 1–10.
[6] M. F. R. M. Billah and M. A. Adnan, ‘‘SMARTLET:
A dynamic architecture for real time face recognition in smartphone
using cloudlets and cloud,’’ Big Data Res., vol. 17, pp. 45–55,
Sep. 2019.
[7] G. Ofualagba, O. Osas, I. Orobor, I. Oseikhuemen, and O. Etse, ‘‘Auto-
mated student attendance management system using face recognition,’’ Int.
J. Educ. Res. Inf. Sci., vol. 5, pp. 31–37, Sep. 2018.
[8] T. Soyata, R. Muraleedharan, C. Funai, M. Kwon, and W. Heinzelman,
‘‘Cloud-vision: Real-time face recognition using a mobile-cloudlet-
cloud acceleration architecture,’’ in Proc. IEEE Symp. Comput. Com-
mun. (ISCC), Jul. 2012, pp. 59–66. [Online]. Available: http://dblp.uni-
trier.de/db/conf/iscc/iscc2012.html#SoyataMFKH12
[9] I. Rosenberg, A. Shabtai, Y. Elovici, and L. Rokach, ‘‘Defense methods
against adversarial examples for recurrent neural networks,’’ 2019,
arXiv:1901.09963.
[10] W. Hu and Y. Tan, ‘‘Generating adversarial malware examples for black-
box attacks based on GAN,’’ 2017, arXiv:1702.05983.
[11] K. Sun, Z. Zhu, and Z. Lin, ‘‘Enhancing the robustness of deep neural
networks by boundary conditional GAN,’’ 2019, arXiv:1902.11029.
[12] G. Liu, I. Khalil, and A. Khreishah, ‘‘GanDef: A GAN based adver-
sarial training defense for neural network classifier,’’ 2019, arXiv:1903.
02585.
[13] P. Samangouei, M. Kabkab, and R. Chellappa, ‘‘Defense-GAN: Protecting
classifiers against adversarial attacks using generative models,’’ 2018,
arXiv:1805.06605.
[14] S. Shen, G. Jin, K. Gao, and Y. Zhang, ‘‘APE-GAN: Adversarial
perturbation elimination with GAN,’’ 2017, arXiv:1707.05474.
[15] S.-H. Choi, J. Shin, P. Liu, and Y.-H. Choi, ‘‘EEJE: Two-step input
transformation for robust DNN against adversarial examples,’’ IEEE Trans.
Netw. Sci. Eng., vol. 8, no. 2, pp. 908–920, Apr. 2021.
[16] I. Goodfellow, J. Shlens, and C. Szegedy, ‘‘Explaining and harnessing
adversarial examples,’’ in Proc. Int. Conf. Learn. Represent., 2015,
pp. 1–11.
[17] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu,
‘‘Towards deep learning models resistant to adversarial attacks,’’ 2017,
arXiv:1706.06083.
33614
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
[18] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, ‘‘DeepFool: A
simple and accurate method to fool deep neural networks,’’ 2015,
arXiv:1511.04599.
[19] N. Carlini and D. Wagner, ‘‘Towards evaluating the robustness of neural
networks,’’ 2016, arXiv:1608.04644.
[20] C. Guo, M. Rana, M. Cisse, and L. van der Maaten, ‘‘Countering
adversarial images using input transformations,’’ 2017, arXiv:1711.
00117.
[21] A. Prakash, N. Moran, S. Garber, A. DiLillo, and J. Storer, ‘‘Deflecting
adversarial attacks with pixel deflection,’’ 2018, arXiv:1801.08926.
[22] H. Lee, S. Han, and J. Lee, ‘‘Generative adversarial trainer: Defense to
adversarial perturbations with GAN,’’ 2017, arXiv:1705.03387.
[23] X. Liu and C.-J. Hsieh, ‘‘Rob-GAN: Generator, discriminator, and
adversarial attacker,’’ in Proc. IEEE/CVF Conf. Comput. Vis. Pattern
Recognit. (CVPR), Jun. 2019, pp. 11234–11243.
[24] G. K. Santhanam and P. Grnarova, ‘‘Defending against adversarial attacks
by leveraging an entire GAN,’’ 2018, arXiv:1805.10652.
[25] Y. Su, G. Sun, W. Fan, X. Lu, and Z. Liu, ‘‘Cleaning adversarial
perturbations via residual generative network for face verification,’’
in Proc. IEEE Int. Conf. Acoust., Speech Signal Process. (ICASSP),
May 2019, pp. 2597–2601.
[26] U. Hwang, J. Park, H. Jang, S. Yoon, and N. Ik Cho, ‘‘PuVAE: A
variational autoencoder to purify adversarial examples,’’ 2019, arXiv:1903.
00585.
[27] A. Krizhevsky, V. Nair, and G. Hinton. (2009). Cifar-10 (Canadian Insti-
tute for Advanced Research). [Online]. Available: http://www.cs.toronto.
edu/~kriz/cifar.html
[28] Z. Whittaker. (2017). Dozens of Popular Iphone Apps Vulnerable
to Man-in-the-Middle Attacks. ZDNet. [Online]. Available:
https://www.zdnet.com/article/dozens-of-popular-iphone-apps-
vulnerable-%to-man-in-the-middle-attacks/
[29] F. Giesen, F. Kohlar, and D. Stebila, ‘‘On the security of TLS
renegotiation,’’ in Proc. ACM SIGSAC Conf. Comput. Commun. Secur.
(CCS), 2013, pp. 387–398.
[30] B. Möller, T. Duong, and K. Kotowicz, ‘‘This POODLE bites:
Exploiting The SSL 3.0 fallback,’’ Google, Mountain View, CA, USA,
Tech. Rep., Sep. 2014. Accessed: Mar. 22, 2022. [Online]. Available:
https://www.openssl.org/~bodo/ssl-poodle.pdf
[31] G. Liu, I. Khalil, and A. Khreishah, ‘‘ZK-GanDef: A GAN based zero
knowledge adversarial training defense for neural networks,’’ in Proc. 49th
Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), Jun. 2019,
pp. 64–75, doi: 10.1109/DSN.2019.00021.
[32] N. Papernot, I. Goodfellow, R. Sheatsley, R. Feinman, and P. McDaniel,
‘‘Technical report on the CleverHans v2.1.0 adversarial examples library,’’
2016, arXiv:1610.00768.
[33] W. Xu, D. Evans, and Y. Qi, ‘‘Feature squeezing: Detecting adversarial
examples in deep neural networks,’’ 2017, arXiv:1704.01155.
[34] Y. LeCun and C. Cortes. (2010). MNIST Handwritten Digit Database.
[Online]. Available: http://yann.lecun.com/exdb/mnist/
[35] Z. Liu, P. Luo, X. Wang, and X. Tang, ‘‘Deep learning face attributes
in the wild,’’ in Proc. IEEE Int. Conf. Comput. Vis. (ICCV), Dec. 2015,
pp. 3730–3738.
[36] N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras,
I. Goodfellow, A. Madry, and A. Kurakin, ‘‘On evaluating adversarial
robustness,’’ 2019, arXiv:1902.06705.
SEOK-HWAN CHOI received the B.E. degree
from Pusan National University, Busan, South
Korea, in 2016, where he is currently pursuing the
Ph.D. degree in computer science and engineering.
His research interests include security for artificial
intelligence, adversarial examples, and intrusion
detection.
VOLUME 10, 2022
S.-H. Choi et al.: ARGAN: ARGAN for DNNs Against Adversarial Examples
JIN-MYEONG SHIN received the B.E. degree
from Pusan National University, Busan, South
Korea, in 2017, where he is currently pursuing the
Ph.D. degree in computer science and engineering.
His research interests include security for artificial
intelligence, homomorphic encryption, and intru-
sion detection.
PENG LIU (Member, IEEE) received the B.S.
and M.S. degrees from the University of Science
and Technology of China and the Ph.D. degree
from George Mason University, in 1999. He is
currently a Professor of information sciences and
technology and the Founding Director of the Cen-
ter for Cyber-Security, Information Privacy, and
Trust, and the Cyber Security Laboratory, Penn
State University. He has published a monograph
and more than 260 refereed technical papers. His
research has been sponsored by the U.S. National Science Foundation, ARO,
AFOSR, DARPA, DHS, DOE, AFRL, NSA, TTC, CISCO, and HP. His
research interests include the areas of computer and network security. He has
VOLUME 10, 2022
served on more than 100 program committees and reviewed papers for
numerous journals. He received the DOE Early Career Principle Investigator
Award. He has co-led the effort to make Penn State an NSA-Certified
National Center of Excellence in Information Assurance Education and
Research. He has advised or co-advised more than 30 Ph.D. dissertations
to completion.
YOON-HO CHOI (Member, IEEE) received the
M.S. and Ph.D. degrees from the School of Elec-
trical and Computer Engineering, Seoul National
University, Seoul, South Korea, in 2004 and 2008,
respectively. He was a Postdoctoral Scholar at
Seoul National University, in 2008, and Penn-
sylvania State University, University Park, PA,
USA, in 2009. From 2010 to 2012, he was
a Senior Engineer with Samsung Electronics.
From 2012 to 2014, he was an Assistant Professor
with the Department of Convergence Security, Kyonggi University, Suwon,
South Korea. He is currently an Associate Professor with the School of
Computer Science and Engineering, Pusan National University, Busan,
South Korea. His research interests include privacy-preserving deep learning,
adversarial examples, anomaly detection, deep packet inspection for high
speed intrusion prevention, and the IoT security for realizing secure computer
systems and networks. He has served as a TPC member and an editor for
various international conferences and journals.
33615