Multimedia Tools and Applications

https://doi.org/10.1007/s11042-024-18475-7

Trans-IFFT-FGSM: a novel fast gradient sign method

for adversarial attacks

Muhammad Luqman Naseem1

Received: 2 May 2022 / Revised: 13 November 2023 / Accepted: 29 January 2024

© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2024

Abstract
Deep neural networks (DNNs) are popular in image processing but are vulnerable to adver-
sarial attacks, which makes their deployment in security-sensitive systems risky. Adversarial
attacks reduce the performance of DNNs by generating adversarial examples (AEs). In
this paper, we propose a novel method called Trans-IFFT-FGSM (Transformer Inverse
Finite Fourier Transform Fast Gradient Sign Method) to generate adversarial examples.
Unlike others, we apply multiple steps, adding imperceptible perturbation and saving input
noise information to create strong AEs, while emphasizing simplicity, efficiency, robustness
through iterations, and analytical precision on specific models. We evaluate and compare
perturbation generated by Trans-IFFT-FGSM and other attack methods, including FGSM,
PGD, DeepFool, and C&W on ImageNet and MNIST, and evaluation results suggest that
Trans-IFFT-FGSM achieves a high attack success rate (ASR) and attack accuracy. In addition,
we compare Trans-IFFT-FGSM and other attack methods under the existence of a defense
method, which denoises the AEs generated by these methods, and the evaluation results also
suggest Trans-IFFT-FGSM outperforms other methods.

Keywords Artificial intelligence security · Adversarial attack · Adversarial examples ·

Defense · Perturbation

1 Introduction

Deep neural networks (DNNs) have achieved remarkable success across various domains,
such as computer vision, natural language processing, network security, medical image pro-
cessing, and even autonomous driving applications [1, 2]. However, the low security of DNNs
has affected their deployment in safe-sensitive applications. To change the outputs of DNNs,
attackers could perturb the inputs of DNNs, even if the perturbations are minute. The per-
turbed inputs are usually called adversarial examples (AEs) [1, 3]. We tackle the adversarial

B Muhammad Luqman Naseem

mluqmannaseem@outlook.com
1 Software College, Northeastern University, Chuangxin Road, Hunnan District, Shenyang 110169,
Liaoning, China

123
 Multimedia Tools and Applications

problems in deep learning, such as adversarial training, input preprocessing, gradient Mask-
ing, transfer learning, and ensemble methods [4].
Adversarial examples are known to exploit vulnerabilities in traditional deep learning
algorithms [5–7]. In 2013, Szegedy et al. [3] successfully created adversarial examples using
the box-constrained L-BFGS algorithm [8]. The emergence of adversarial examples is a hot
topic of discussion. Adversarial attacks are categorized into black-box and white-box attacks
based on available model knowledge [9]. Black-box attacks lack knowledge of models in
internal information but only have access to the model output adversarial examples. The
black-box attack in DNNs depends on attackers abilities [10]. Black-box attack presents the
most challenging scenario, involving access to benign images and class labels [10]. White-box
attacks possess information about DNNs, model weight parameters and structure [10]. White-
box attacks on DNNs are often straightforward as it involve full knowledge and unrestricted
access to targeted DNNs [10]. It is easy to implement gradient-based attacks for algorithms
efficiently under a white-box attack environment. Goodfellow et al. [1] introduced the FGSM
(Fast Gradient Sign Method), which created adversarial examples with small perturbations
applying the gradient direction of the input. Furthermore, Miyato et al. [11] proposed a variant
of the FGSM known as the FGM (Fast Gradient Method), which normalizes the gradient
used by the l2 norm. This leads to more effectively generated adversarial perturbations. The
FGSM and FGM are one-step attack techniques. Their success rates for adversarial attacks
are relatively limited overall, AI security domain stands out as prominent adversarial attack
algorithms were proposed to generate adversarial examples such as FGSM [1, 12], DeepFool
[12], PGD [12], and C&W [12] using broad knowledge of target models, including network
structures and parameters. Each employs unique approaches to perturb input data to fix
model vulnerabilities and secure robustness. Meanwhile, Zero Order Optimization (ZOO)
[13], Autoencoder-based Zero Order Optimization (AutoZoom) [14], and Boundary Attack
[15] are able to generate adversarial examples without any target model information.
Our work is to develop a technique for generating adversarial examples and under-
standing the vulnerabilities of DNNs. Our Trans-IFFT-FGSM techniques started to input
original images (clean images) maps with diversified to get a gradient for pushing process
Translation-invariant in DNN can accurately extract feature. The FFT coefficients described
time domain to frequency domain of represented coefficients signal frequencies multiply to
encoder-decoder of the transformer (processes input data and transform it) to generate an
obfuscated image. Furthermore, moving to IFFT squeezed target information of getting obfus-
cated image passes to gradient corrections restricted magnitude to prevent erupting gradients
on applying perturbation of manage overfit navigation modification. Therefore, adversarial
attacks involved perturbations to enhance model performance. We enhance transferability of
adversarial examples by perturbing features extracted from the feature network. Experiments
conducted on ImageNet [16] and MNIST [48] datasets illustrate methods effectiveness in
generating highly transferable adversarial examples.
Our contribution to this paper concludes as follows.

• An algorithm called Trans-IFFT-FGSM is developed, which aims to add perturbation to

images, i.e., generating adversarial examples. That outperforms the SOTA methods such
as FGSM, PGD, DeepFool, and C&W in terms of attack accuracy of classification by
0.73%.
• We select attack algorithms FGSM, PGD, DeepFool, C&W, and the proposed Trans-
IFFT-FGSM for experiment along with defense using the denoiser algorithm to analyze
the adversary strength. Two datasets are used for conducting our experiment: ImageNet
and MNIST datasets. Moreover, we used pre-trained models for feature extraction.

123
Multimedia Tools and Applications

The remainder of this paper is organized as follows. In Section 2, we explain the current
strategies adopted for adversarial attacks in recent years. In Section 3, we explain in detail
our methodology. In Section 4, experiments and results of performance evaluation metrics. In
Section 5, we have a comprehensive discussion. Finally, we conclude our work in Section 6.

2 Related works

In this section, we will introduce related work in adversarial attacks field of AI systems,
including adversarial attacks, generating adversarial examples (AEs), and AI applications
security.

2.1 Adversarial attack

An adversarial attack manipulates input data and misleads performance of DL models. Many
works introduced techniques boosting adversarial attacks in DL models [17]. Adversarial
attacks not only threaten computer vision tasks but also reduce integrity and reliability in
various domains depending on DL models [18], such as network security, medical image
processing, and autonomous driving applications [1, 2]. Many works related to attacks are
focused on adversarial examples. Especially Fast Gradient Sign Method (FGSM) is a fun-
damental attacking technique [1, 12]. It introduced minute perturbation in a model for loss
gradient to increasing adversarial examples. MI-FGSM [19] builds the concept of momentum
taken by interpretation of cumulative gradient to defined attack gradient method. Moreover,
Basic Iterative Method (BIM) [11] and Projected Gradient Descent (PGD) [12] methods
represent modifications based on FGSM, each offering diverse techniques for adversarial
example generation. DeepFool [12] identified the classification boundary of an adversar-
ial example and introduced minute perturbations to transgress boundary. The Carlini and
Wagner (C&W) method [12] iteratively crafted adversarial examples while constraining the
perturbation using l2 − nor m based attack for model output. Shamsabadi et al. [20] intro-
duced EdgeFool to generate adversarial examples that closely resemble real-world data.
Also, reviewed attack techniques such as FGSM, PGD, DeepFool, and C&W on ImageNet
and MNIST datasets.
Many other well-known techniques, such as DI-MI-FGSM [19], draw inspiration from
including Diversity Input (DI) [28], Translation-Invariant (TI) techniques as presented by
Dong et al. [29], FGSM [1], and Momentum Iterative Boosting (MI) [17]. They oriented
transformations to MI transformations to further enhance transferability. Harmonic adversar-
ial attack methods (HAAM) employ harmonic functions to generate edge-free perturbations
[30]. Heng et al. [30] suggested a harmonic adversary technique that proposed perturbations
resemble smoother gradient-like images. Guo et al. [31] introduced a Fourier attack. Fur-
thermore, one-pixel attack illustratively effectively fooled network by demonstrating high
frequency could be misleading [32].

2.2 Adversarial examples

Adversarial examples are data points that are intentionally perturbed or modified with imper-
ceptible changes in image to the human eye but are crafted to deceive AI models. Many works
have proposed diverse techniques for generating adversarial examples, as well as exploring
defense mechanisms for enhanced security and robustness of DNN models. Szegedy et al.

123
 Multimedia Tools and Applications

[3] pointed out the existence of adversarial examples and successfully generated adversar-
ial examples (AEs), which could fool DNN through the LBFGS algorithm. Goodfellow
et al. [1] proposed a fast gradient sign method (FGSM) to generate adversarial examples.
Bhattad et al. [9] introduced two novel semantic attacks for employing texture and color
domains. Shamsabadi et al. [18] proposed a kernel-prediction technique to enhance accu-
racy of motion-blurred adversarial examples. These approaches manipulate image semantics,
specifically targeting color changes associated with the perception of blue color, which leads
to an evaluation of pre-attack and post-attack transformation for image classifications [20].
The success attack results in model misclassification requires a thorough checked accuracy.

2.3 Adversarial defense

Many worked for adversarial examples have evolved in several areas, including defense
against adversarial examples and attacks that generate adversarial examples. The latest
work focused on defense mechanisms to minimize the development of adversarial exam-
ples, whereas those trying to design algorithms to construct adversarial examples that satisfy
many requirements. Many works resist adversarial examples masking the gradient during
which adversaries optimizer techniques were predicted to fail to evolve beyond malignant.
Several works have efficiently defeated for defense produced useful samples, mainly built
substitutional models to delete the mask. These are especially true for newer works [21–27].
On the other hand, overall probability value (OPV) of defense against adversarial exam-
ples algorithm assessed degree of modification in an input image. It offered a preliminary
method for determining whether to input adversarial examples either not [47]. Zhou et al.
[36] developed a technique to protect against adversarial examples by leveraging a markov
process to determine overall probability values. However, incremental processes exhibit a
high level of accuracy and a low degree of transferability [37]. So, transferred attacks are
crafted for a surrogate model to target intended model [38]. Feinman et al. [39, 40] hypothe-
sized adversarial examples are selected differently from original sample probabilities. They
proposed a method for detection approach based on kernel density estimations in feature
space at the final hidden layers. Moreover, Bayesian neural network predictions incorporate
dropout randomization [49]. Therefore, various works suggested enhanced attack generaliz-
ability involved reduced dispersion of initial CNN layers activation functions [41]. Samriya
et al. [42] introduced conducted verification and compared it to ACO and PCA-based (Naive
Bayes) NB models. As a result, experiments addressed that ACODNN model outperforms
existing approach.

2.4 AI security

Security is key factor to be considered while developing applications based on AI systems.

Security protects systems, networks, and AI models from adversarial attacks. Attackers devel-
oped many novel attack strategies to grow proactively. So, security is applied in various
domains such as AI, cybersecurity, finance, and healthcare for public safety and trust. Adver-
sarial perturbations are typically invisible to humans, but they can cause harm in deep learning
models. This work shows an empirical study of adversarial examples regularly appearing in
these low-probability sections of confident training distributions, independent of attack types
or targeted models, from the perspective of image analyzers [1]. This work has discovered
conventional neuron density theories are exceptionally efficient at detecting tiny image vari-
ations, employing statistical hypothesis testing.

123
Multimedia Tools and Applications

Chithaluru et al. [33] investigated the performance of node localization and energy-
efficient clustering through real-time test-bed analysis. Therefore, the study found that ICSO
excels in areas for speed of convergence network lifetime. When applied to the development
of efficient IIoT and green cities. This work introduced a novel strategy for detecting vehicle
license plates by Aggarwal et al. [34]. Moreover, employed image processing techniques such
as dilation, edge processing, and greyscale conversion. Furthermore, the approach included
detection of relevant regions within a segmented image containing vehicle license plate.
Kumar et al. [35] proposed a novel method of detecting photo manipulation that involved a
technique for detecting multiple light sources. Likewise, there are many other deep learning
methods that are well known for classification, detection and segmentation [50, 51].

3 Methodology

3.1 Overview

Figure 1 presents the schematic diagram of the proposed Trans-IFFT-FGSM. It consists of

multiple stages such as getting the gradient evaluation of single image pixels affecting the
output and retaining information for making perturbed. The input of Trans-IFFT-FGSM is
the original image (clean image), and the output is AE. Therefore, Translation-invariant
maintains an ability to identify the class input accurately for feature extraction. Moreover,
FFT coefficients precisely describe the image from a time domain to the frequency domain.
The coefficients represent the amplitudes and phases of the signals various frequencies. The
encoder-decoder of the transformer components actively processes input data and trans-
forms it. To generate output while attending to different input and output sequence image
segments. Furthermore, we concatenate previous two-stage compression IFFT output infor-
mation results in the complete set of compressed targets for images. After that, gradient
corrections restrict gradient magnitude to prevent exploding gradients (large error gradi-
ents leading to substantial updates in the neural network model weights during training)
and impose perturbation on gradients to manage overfitting. The gradient corrections play
a key role in navigation modification. To ensure more effective training and improve data
learning. The perturbation against gradient step-size of parameter actively determines the
step-size taken gradient in DL. However, generating adversarial examples directly impacts
the trade-off between speed training and convergence accuracy.

Fig. 1 Schematic Diagram of Trans-IFFT-FGSM algorithm applied to the ImageNet dataset. It includes input
variation, gradient manipulation, translation adjustments, FFT processing, transformer encoding and decoding,
softmax layers, gradient correction, and perturbation generation to create adversarial examples

123
 Multimedia Tools and Applications

Algorithm 1 Trans-IFFT-FGSM
1: function
2: Input : (x, y) the pair of image and its label in datasets
3: Output: The final output is an adversarial example (x  , y  );
4: for epoch n = 0 to Nn−1 do
5: input diversity for n times
6: get gradient δ
7: implement the translation-invariant (T I ) for feature extraction
8: x0 ← x, n ← 0.
9: while sign( f (xn )) = sign( f (x0 )) do
10: x  ← − f (xn ) 2 δ f (xn ),
δ f (xn )2
11: xn + 1 ← xn + x  ,
12: n ← n + 1,
13: F F T ← n,
14: end while
15: F F T Coefficient ← F F T ,
16: T ← E/D * F F T ,
17: I F F T ← get Tδ ,
18: xδ ← get I F F T (AE (x  , y  )),
19: So f t Max ← xδ ,
20: Get xδ ← feed AE(x  , y  ) in model get GC,
21: Get δ of xδ by backpropagation,
22: xδ + 1 ← get xδ + 1 according to α,
23: C E Loss;
24: end for
25: return if output is not same as (x  , y  ) then again iterate x and xδ ;
26: end function

3.2 Symbols and concepts

We give the notations used in this paper as (x, y) the pair of image and its label in datasets, ba a
batch of original images, x  adversarial example (AE), α gradient step size, ad improve diver-
sity for AE, C E cross-entropy loss function, xδ image perturbation, W adversarial training
with worst-case perturbation, T I translation-invariant for feature extraction, T transformer,
E encoder of transformer, D decoder of transformer, I F F T information preserving com-
pression for image, GC navigation modification, δ gradient, N target image index. These
notations are also used in Algorithm 1 to present the pseudo-code.

3.3 Input image

The image represents the matrics of pixel values and classes. In step 1, we input an original
image with specific dimensions 299 × 299. In our case, we take the image from the ImageNet
dataset. We choose classes (a part of ImageNet has 0-999 classes, and MNIST has 10 classes)
from the ImageNet and MNIST datasets.

3.4 Get gradient

We apply gradients to measure changes in the scalar field in various directions and effec-
tively handle the largest datasets with high-dimensional parameters. In step 2, we choose an
input diversity image for improving transferability to generate AE and process it into differ-
ent iterations (cycle of stages) t (e.g., get gradients, translation invariant, FFT coefficients,

123
Multimedia Tools and Applications

transformer, IFFT, gradient corrections, and get perturbation), during the process successfully
added perturbation in the image for generating AE.

3.5 Loss function

We apply the loss function to assess the performance of our model to determine well data
fits to identify predictions. In step 3, the gradient of loss function C E( pi , qi ) as for modified
image obtained from adversarial examples xtadv which represents pi and predicted probability
for AE. Moreover, train the model using a combination of original and adversarial examples.

min E(x, y) ∼ DS[max δ ∈ S,( f θ (x + δ), y)] (1)

θ

In (1) [43], θ represents parameters, E determines expected value of a random variable,

DS denotes training dataset, S denotes set of allowable perturbations, f θ (x) signifies model
output for input x with parameters θ ,  represents loss function, δ represents perturbation,
and max δ represent gradient. The training objective is to minimize expected loss across
examples in distribution DS as for model parameters θ while simultaneously maximizing
loss over allowable perturbations in S. On one hand, we apply modified inputs as in an
attack. Moreover, we focus on (2) [44], which defines cross-entropy loss between predicted
probabilities pi and the true target probabilities qi for each image. To calculate the loss of
image and apply the cross-entropy function.


N
C E( pi , qi ) = − pi log(qn ) (2)
n=0

Furthermore, we denote class index as n, where qn represents true probability of adver-

sarial examples belonging to class N . The adversarial examples x tadv generated in step-size
t correspond to pi . This is represented as a value of 1 for true class and 0 for all other
classes. Therefore, we use pi to denote model predicted probability for class N . The cross-
entropy loss evaluates predicted probability aligned with true probability. When predicted
probabilities are close to 1 (indicating high confidence in true class), the cross-entropy loss
approaches 0. Therefore, loss increases when predicted probabilities significantly deviate
from true probabilities.
However, we observe that our generated adversarial examples achieve higher success rates
when used against black-box models but produce less promising results against white-box
models. This conflict happens because attackers frequently lack access to the original inputs
(in adversarial attacks original input is uniform data passed to a machine-learning model).

3.6 Enhance effectiveness

We employ an incremental approach for each image over fixed time period to enhance
efficiency and apply multiple changes in the image for perturbation. In step 4, we apply
an incremental approach to enhance effectiveness of attacks to generate a smooth gradi-
ent across images using predefined kernel. This leads to adversarial examples that are less
prone to detection by white-box architectures. Therefore, especially in the context of targeted
translation-invariant attacks.
  
adv
xt+1 = xtadv + α · sign W ∗ ∇x L xtadv , y (3)

123
 Multimedia Tools and Applications

In (3) [17], α represents gradient step-size of attack, and y denotes target point for AEs.
The variable W refers to this context of adversarial training with worst-case perturbation.
Moreover, it is more worth it when size of W increases. Adversarial perturbations become
more noticeable. Therefore, leading to an overall improvement in transferability.

3.7 Get FFT co-efficient

We use FFT coefficients to expand the periodic function. To make it easier to understand
signal values for frequency filtering. In step 5, we compute FFT coefficients to transform data
from time domain to frequency domain. Therefore, enables analysis of signal components
at various frequencies, amplitudes and phases. This necessary process finds applications in
image analysis, signal processing and audio processing. We integrate a fast Fourier transform
technique to obtain the F F T coefficients. We design a distinctive dynamic learning rate for
these frequency coefficients across different frequencies. To ensure generated image achieves
ugly. Moreover, performs well across various classifiers. We employ a larger training dataset
for coefficients in the higher frequency range. On the one hand, while using a lower learning
rate for coefficients within the low-frequency range.
Fourier transform is a method for decomposing a function into component frequencies.
The discrete Fourier transform proves valuable for analyzing wave signals irregularly at
discrete intervals. The Fast Fourier Transform (F F T ) enables swift computation of discrete
Fourier transforms for wave signals of size N . Therefore, we achieve a time complexity
of O(N log N ) [32]. Moreover, we can apply the 2-dimensional discrete Fourier transform
in image channels. Therefore, we providing an accurate for this process. Furthermore, Z
represents the image pixels of coefficients in the range Z ∈ [0, 1] N ×N .


N
lm+kn
FFT (Z )(l, k) = e−2πi N Z (m, n), (4)
n,m=0

In (4) [45], the Fourier coefficient consists of a two-dimensional complex number for each
pair of indicator l and k where k varies from 0 to N − 1. This coefficient could be represented
as z = r eiφ with r denoting its magnitude and φ representing the phase angle. Therefore
coming step, we will explore magnitude and phase angle of Fourier coefficients. Moreover,
the following method could determine the magnitude computed as an absolute value. The
phase angle of a Fourier coefficient depends on the values of l and k which range from 0 to
N − 1. Afterward, the FFT coefficient is multiplied by the transformer layers.

3.8 Transformer

We enhance accuracy in various AI and deep learning model tasks by implementing trans-
formers. Therefore, it employs the self-attention mechanism to weigh the significance
of each input data component differentially. Moreover, it improves computational effi-
ciency and scalability. In step 6, the transformer was originally designed for automated
translation. It employs an encoder-decoder architecture. Therefore, the encoder takes the
actual data as input. As a result, produces an attention-based representation. Furthermore,
alternatively employing a standard recurrent neural network (RNN) algorithm for decod-
ing, an autoregressive decoder processes the encoded information against the image. As
a result, architecture proves particularly advantageous for tasks. Therefore, it involves
sequential-to-sequential operations that require autoregressive decoding. Encoder-decoder

123
Multimedia Tools and Applications

based transformer approaches have significantly advanced field of natural language process-
ing (NLP). Moreover, it generates IFFT images as the output of the transformer.

3.9 Inverse fast fourier transform (IFFT)

The Inverse Fast Fourier Transform (IFFT) reverses the FFT process by converting data from
the frequency domain back to the time domain. Moreover, it applies to extensive applications
in data reconstruction and signal processing. As per IFFT in step 7, we apply the transformer
model to generate IFFT images. Furthermore, we proceed to the subsequent step as per
the proposed algorithm. We refine and continue with the softmax process. Therefore, it is
an activation method to convert numerical values into probabilities. The softmax operation
produces probabilities for each potential output. As a result, they are represented within a
vector. Each entry in the vector corresponds to a possible output. Therefore, the sum of all
entries equals 1. Furthermore, we apply softmax function to achieve this.

e xn
I F F T (x)n =  R , for n = 1, 2, · · · , R, (5)
xr
r =1 e

In (5) [46], where R represents a set of various possible classes. Moreover, I F F T (x)n
indicates the probability of a specific component being linked to class n. Therefore, our aim

exx
is to compute the probability Px  . As a result, we calculate Px  as follows Px  = R .
r=1 e xr

3.10 Generate AEs

Generating perturbed images to create artificially constructed inputs that deceived DNN
models into producing targeted outcomes. Moreover, that scenario is the input referred to as
adversarial examples. In step 8, the Fast Gradient Sign Method (FGSM) can initially seem
simple. Therefore, it achieves maximum loss and reverses gradient descent. This loss and
gradient reversal occur because adversarial attacks aim to deceive the models. Furthermore,
input images denoted as x are processed batch by batch within model to serve as learnable
features. The core principle behind FGSM is remarkably straightforward. As a result, it intro-
duced moderate perturbations based on gradients to increase the loss and disrupt the model
behavior and functionality. This is proposed by Goodfellow et al. [1]. The fundamental (6) is
used in FGSM to generate adversarial examples [1]. It involves adding a minute perturbation
to a given input example to generate an adversarial example.

η = x + ε · sign (∇x J , (θ, x, y)) (6)

where η represents the adversarial example, x is the original input, and ε serves as a small
scalar to control the magnitude of the perturbation. Therefore, we employ the sign() function
to determine the sign. ∇x J , (θ, x, y) denotes the gradient of the loss function J with respect
to the input x. Moreover, it is evaluated based on the true label y and the neural network
model parameters θ . Therefore, It is important to note that the gradient is computed with
respect to the input x not to the model parameters θ . Furthermore, ε serves as the step size
for the gradient ascent.

123
 Multimedia Tools and Applications

4 Experiments and results

In this section, we thoroughly explain the datasets, technique selection, adversarial training,
adversarial preventions, and experimental settings.

4.1 Dataset

We chosed the ImageNet and MNIST datasets. We organize connotation-relevant ImageNet

categories into nine super-classes, as outlined in Table 1. We opted for this dataset due to pub-
lic availability and the use of clean original images. Therefore, this dataset comprises 1000
classes. Moreover, each with images having a resolution of 299 × 299 pixels and correspond-
ing labels totaling 1000. Furthermore, the background label is denoted as 0 while ImageNet
classes are associated with labels ranging from 0 to 999 as ImageNet is a comprehensive
dataset.

4.2 Technique selection

We select several adversarial attack techniques. The Fast Gradient Sign Method (FGSM),
Projected Gradient Descent (PGD), Carlini-Wagner Attack (C&W), and DeepFool (DF).
Furthermore, we will provide a detailed explanation and implementation of our proposed
algorithm known as Trans-IFFT-FGSM.

4.3 Adversarial training

Adversarial training approaches aim to enhance the robustness of classification models. We

used an adversarial attack known as PGD which initiates from the original image. Therefore,
these attacks are subject to a constraint that limits the magnitude of alterations defined math-
ematically as an l2 − nor m boundary. Furthermore, this constraint is enforced in the model
training phase. However, to ensure comprehensive coverage within a specified l2 − nor m
range at each stage, normalize the data gradients throughout the PGD iterations. Therefore,

Table 1 Sample for training test Classes Label in ImageNet

and validation of ImageNet Dataset
Dataset for major classes
“Giant panda, panda, panda bear, coon 388
bear, Ailuropoda melanoleuca”
“gondola” 576
“lycaenid, lycaenid butterfly” 326
“American coot, marsh hen, mud hen, 137
water hen, Fulica americana”
“lorikeet” 90
“ballplayer, baseball player” 981
“ostrich, Struthio camelus” 9
“cannon” 471
“library” 625

123
Multimedia Tools and Applications

it emphasizes the potential harm caused by adversarial examples. When the adversary lacks
access to the internal model details. Furthermore, here is an explanation of different types
of adversarial attack targets: Non-targeted Adversarial Attack: The primary objective is to
substantially modify the original image in a way that leads to misclassification by a machine
learning classifier. Therefore, the specifics of these are unknown. Targeted Adversarial Attack:
Similarly, targeted adversarial attack aims to lightly alter the original images. Furthermore,
it makes them appear to belong to a specific target class. Therefore, the choice of the target
class often relies on a deep learning classifier that remains very confidential from the public.
Defense Against Adversarial Attack: Therefore, the defense strategy is to design machine
learning classifiers. That exhibits robustness against adversarial examples. Furthermore, the
classifiers are designed to accurately identify such examples in the ubiquity of adversarial
attacks.

4.4 Adversarial preventions

The artificial intelligence (AI) and machine learning (ML) approaches exhibit high suscep-
tibility to false positives and false negatives. Adversarial examples refer to illustrate where
inputs are subtly altered to cause misclassification within such machine-learning classifica-
tion systems. Some of these alterations are so subtle that they can easily evade detection by
human eyes but overall classification remains incorrect.

4.5 Implementation details

We provide implementation details for our model Trans-IFFT-FGSM by key steps and strate-
gies for execution.

4.5.1 Results for Trans-IFFT-FGSM

We prepare the training and testing samples for processing. Firstly, normalized them to fit
within the range of (0, 1). Therefore, we transformed both the training and testing datasets
into 784-dimensional vectors. Each image comprises a 28x28 pixels grid. We obtained a
28x28 array. This 28x28 array can be converted into a 784-dimensional vector by flattening
it. Moreover, the training dataset comprises 60,000 samples, while the testing dataset contains
10,000 samples. Furthermore, to support machine learning tasks, we converted integer labels
in the training and testing datasets into one-hot vectors when necessary. Therefore, we proceed
to build and train classifiers to construct the architecture of the classifier.
We design a classification model wrapper. This wrapper was designed to acquire and
implement a TensorFlow session. Therefore, allowing seamless integration functionalities.
Furthermore, we present graphical results in Figs. 2 and 3, with Fig. 4 showing the training
and testing line graph. Figure 5 displays the attack ratios when using various attack algo-
rithms, including FGSM (Fast Gradient Sign Method), PGD (Projected Gradient Descent
Method), C&W (Carlini and Wagner Attack), DF (DeepFool Attack), and Trans-IFFT-FGSM.
Figure 6 illustrates the output achieved with state-of-the-art attack algorithms. Moreover,
Fig. 7 demonstrates the variation in attack accuracy when applying attacking methods. On
the other hand, Table 2 provides a comparison between non-target and target images.

123
 Multimedia Tools and Applications

Fig. 2 Comparison Non-Target and Target Images

4.5.2 Results

This section presents the performance evaluation experiments with state-of-the-art meth-
ods. Therefore, we adopt a step-by-step procedure to demonstrate how these techniques can
be applied in attack mechanisms. Furthermore, highlighted technical aspects and identified
differences in performance. Moreover, Table 3 provides an overview of feature engineer-
ing models that will be initially applied for insert perturbation. The table shows variation
accuracy values for all techniques.

123
Multimedia Tools and Applications

Fig. 3 Final Output Obtained after applying the adversarial attacks. The original images are taken from the
dataset, and the adversarial examples show the uneven difference (embedded) in the original image

4.5.3 Fast gradient sign method - FGSM apply on MNIST

The Fast Gradient Sign Method (FGSM) employs gradient information to perturb input
data and fool deep learning models in adversarial attacks. In FGSM attacking, we apply
attack parameters (encompassing the action of configuring essential settings and variables) to
produce adversarial examples and analyze performance of target classifiers. Therefore, when

Fig. 4 left Graph for model accuracy and epoch for Training (Blue) and Testing (Orange). Right Graph loss
and epoch for Training (Blue) and Testing (Orange)

123
 Multimedia Tools and Applications

Fig. 5 (Attack ratio on applying various attacking algorithms like FGSM (Fast Gradient Sign Method), PGD
(Projected Gradient Descent Method), C&W (Carlini and Wagner Attack), DF (DeepFool Attack), and Trans-
IFFT-FGSM

Fig. 6 Output achieved after the state-of-the-art attack algorithms. Row 1 is original images, and the images in
Row 2 are Attacked images using FGSM Adversarial Attack. The images in Row 3 are Attacked images using
the Project Gradient Decent Adversarial Attack algorithm. The images in Row 4 are Outputs achieved after
the Carlini and Wagner Adversarial Attack. The images in Row 5 are Outputs achieved after the DeepFool
Adversarial Attack. Finally, The images in Row 6 are Output achieved after the Denoising on some Test
Sample

123
Multimedia Tools and Applications

Fig. 7 Attack Accuracy Variation on applying various attacking algorithms like FGSM (Fast Gradient Sign
Method), PGD (Projected Gradient Descent Method), C&W (Carlini and Wagner Attack), DF (DeepFool
Attack), and Trans-IFFT-FGSM

subjected to attacks. As a result, we obtained 10 original samples and their corresponding

adversarial examples.

4.5.4 Implementing detection via autoencoders

We use autoencoders to reduce noise and reconstruct images as the output. Therefore, we
create and train the autoencoder using a mean squared error loss rate and the Adam optimizer.
Moreover, the next stage involves detection with autoencoders. Furthermore, Autoencoder
detection and threshold determination utilize the training data generated from FGSM to create
adversarial examples. Furthermore, we obtain the reconstruction errors for the training dataset
and specify a threshold, resulting in the creation of an array containing error convolution
layers. Therefore, we calculate the error for the adversarial testing set. To determine the
number of examples that exceed the threshold. As a result, we count negative and true
positives. Additionally, we assess the number of positive examples. To identify false positives
in an unremarkable testing set. We calculate the examples that exceed the threshold. Moreover,
they classify them as adversarial, contributing to the false positive count. So, this count is
based on the example size that initially tested negative.
Therefore, failure to counter the PGD attack highlights its effectiveness. Moreover, PGD
provides attack parameters for a trained classification example from phase 1. Therefore,
these parameters are used to generate skewed data. Which is used to evaluate the accuracy
of the target classifier. As shown in Table 4. Moreover, we assess the impact of this attack
on 10 original images and their corresponding adversarial examples. On the other hand, we
implement adversarial classifier training and further training using perturbation and image
data. Therefore, we conduct an analysis of PGD adversarial classification accuracy after each
epoch. Furthermore, it applies defense mechanisms to the perturbed data during the PGD
adversarial classification process.

123
 Multimedia Tools and Applications

Table 2 Comparison of Non-Target and Target Images

SN Original Image Left (O) Non-Target Image Center Target Image Right (T)
(NT)

1 Predicted class: giant panda,
panda, panda bear, coon bear,
Ailuropoda melanoleuca True
class: giant panda, panda,
panda bear, coon bear, Ail-
uropoda melanoleuca
2 Predicted class: gondola
True class: gondola
3 Predicted class: lycaenid,
lycaenid butterfly True class:
lycaenid, lycaenid butterfly
4 Predicted class: lycaenid,
lycaenid butterfly True class:
lycaenid, lycaenid butterfly
5 Predicted class: American
coot, marsh hen, mud hen,
water hen, Fulica americana
True class: American coot,
marsh hen, mud hen, water
hen, Fulica americana
6 Predicted class: lorikeet True
class: lorikeet
7 Predicted class: ballplayer,
baseball player, True class:
ballplayer, baseball player
8 Predicted class: ostrich,
Struthio camelus True class:
ostrich, Struthio camelus
9 Predicted class: cannon True
class: cannon
10 Predicted class: long-horned
beetle, longicorn, longicorn
beetle True class: long-
horned beetle, longicorn,
longicorn beetle
11 Predicted class: espresso
True class: espresso
12 Predicted class: bobsled,
bobsleigh, bob True class:
bobsled, bobsleigh, bob
13 Predicted class: grand piano,
grand True class: grand piano,
grand
Predicted class: Samoyed,
Samoyede
Predicted class: dam, dike,
dyke
Predicted class: ringlet,
ringlet butterfly
Predicted class: hippopota-
mus, hippo, river horse, Hip-
popotamus amphibius
Predicted class: lorikeet
Predicted class: basketball
Predicted class: ostrich,
Struthio camelus
Predicted class: sundial
Predicted class: tiger beetle
Predicted class: espresso
Predicted class: shower cap
Predicted class: hip, rosehip,
rosehip
Predicted class: desk
Predicted class: chow, chow
chow, Target class: meatloaf,
meatloaf
Predicted class: dam, dike,
dyke Target class: wing
Predicted class: ringlet,
ringlet butterfly Target class:
cocker spaniel, English cocker
spaniel, cocker
Predicted class: hippopota-
mus, hippo, river horse, Hip-
popotamus amphibius Target
class: jacamar
Predicted class: lorikeet Tar-
get class: fountain
Predicted class: basket-
ball Target class: Arabian
camel, dromedary, Camelus
dromedarius
Predicted class: ostrich,
Struthio camelus Target
class: vault
Predicted class: sundial Tar-
get class: drilling platform,
offshore rig
Predicted class: tiger beetle
Target class: espresso maker
Predicted class: espresso
Target class: nail
Predicted class: shower cap
Target class: strainer
Predicted class: bee Target
class: bakery, bakeshop, bake-
house
Predicted class: dining table,
board Target class: mailbox,
letterbox

123
Multimedia Tools and Applications

Table 2 continued
SN Original Image Left (O) Non-Target Image Center Target Image Right (T)
(NT)

14 Predicted class: geyser True Predicted class: wreck Predicted class: beaver Tar-
class: geyser get class: pug, pug-dog
15 Predicted class: library True Predicted class: bookshop, Predicted class: bookshop,
class: library bookstore, bookstall bookstore, bookstall Target
class: safety pin
Predicted class is refers to the class label given input data, true class is acutual class label for input data known
as ground truth, Target class is specific class label to predict for given input that often used in true class

On the other hand, we have implemented Carlini and Wagner (C&W) attack. After using
learned classification model from step 1 we adjust the attack parameters to generate small-
sized image data. Moreover, we assess the accuracy of the targeted classifier when using
adversarial data as shown in Table 4. As a result, the table displays the impact of the attack
on 10 different original image and their corresponding adversarial examples. Furthermore,
to prove our defense employ PCA (Principal Component Analysis) to reduce dimensionality.
Therefore, we create a PCA model by transforming perturbed C&W examples using the
subspace of the original training datasets. Moreover, we compile and train the model graphs
using PCA train labels. As a result, the table provides an evaluation of defense and accuracy.
On the one hand, the implementation and execution of the DeepFool attack involve config-
uring attack parameters to generate adversarial examples. Moreover, it assesses the accuracy
of modified data on the target classifier. As a result, this attack is presented in Table 4, as
described in step 1. Therefore, we evaluate the impact of this attack on 10 original images.
Furthermore, their corresponding adversarial examples to determine how they affect the num-

Table 3 Table showing the overall mechanism regarding each technique

Attacking Feature Engineering
Algorithm Resnet-101 VGG-16 (%) Densenet-161 Inc-v4 (%) AdvIncRes-v1 AVG
(%) (%) (%)

DeepFool 98.96 99.19 86.98 74.74 40.56 80.08

Projected 97.90 99.23 75.90 78.06 41.26 78.47
Gradient
Descent
Carlini and 98.99 96.87 68.98 77.60 43.58 77.20
Wagner
Fast Gradient 98.90 98.98 70.98 88.34 58.91 83.22
Sign Method
DI-FGSM 99.96 99.90 72.58 62.28 37.28 74.40
DTI-FGSM 99.96 99.82 74.36 64.84 38.06 75.40
DTMI-FGSM 99.90 99.98 90.50 82.64 40.76 82.75
Trans-IFFT- 99.97 99.99 93.41 90.98 61.44 89.15
FGSM(ours)
The five columns starting from row 2 and column 2 express the feature engineering methods in applying the
attacking algorithm, taking one by one from column 1 starting from row 2. The extreme right-hand side has two
successively columns for attack success rate and accuracy score for every technique applied. The highlighted
values are the effective results taken out in each case
Bold values is my highest results compared with others techniques

123
 Multimedia Tools and Applications

Table 4 Sample for training test Model ASR Attack Accuracy

and validation of Image-Net
Dataset for major classes FGSM 5.87% 97.27%
PGD 1.55% 97.40%
C&W 1.60% 82.98%
DeepFool 1.66% 97.53%
Trans-IFFT-FGSM 7.8% 98.26% (0.73%↑)
Bold values is highest attack accuracy and attack success rate results

bers displayed. On the other hand, to enhance defense mechanisms, we employ the denoising
autoencoder defense. However, it involves training the denoising autoencoder (DAE) and
creating graphs for DAE training. As a result, which is also shown in Table 4. Furthermore,
using DAE to denoise and evaluate accuracy of DeepFool data to mitigate adversarial pertur-
bations. Afterward, We analyze how many numbers are displayed after such an attack using
10 different original images and adversarial examples. However, these results encompass
evaluations for FGSM, DeepFool, C&W, PGD, and the denoising images.

5 Discussion

In this work, we introduce perturbations to perturbed original images using the Trans-
IFFT-FGSM algorithm and apply them to ImageNet and MNIST datasets. As a result, the
calculation for each result with each attack is determined as follows:
 
Attack Result = Def ∈ De f k = 1 N [De f (attack(I mgk)) = T Labk ] (7)

In the provided (7) [47] and explanations, “Def” represents all defenses in the dataset. N
denotes the total number of images in the dataset. I magek represents the k th image in the
dataset. T arget Labelk is the target label for the k th image denoted as T Labk . On the one
hand, when the boolean expression is true method returns 1. On the other hand, it returns 0.
As a result, the score indicates the aggressiveness of the attack with higher scores indicating
more aggressive attacks. Therefore, the classification task in ImageNet and MNIST is a
central focus of attacks and defenses in this challenge. However, we aim to create robust
adversarial attacks on ImageNet and MNIST classifications.
These adversarial learning problems can be categorized into three main aspects: Non-
targeted Task: The goal is to mislead the classification into a different class, causing image
misclassifications. Targeted Challenge: The objective is to trick the classification into believ-
ing the image belongs to a specific target class. Defensive Challenge: This focuses on
developing robust classifications to withstand adversarial attacks. The effectiveness of classi-
fications in the presence of adversarial attacks is assessed in the defensive challenge. However,
the first two challenges evaluate how effectively adversarial attacks within the third task can
deceive the classifiers.

5.1 Generating non-targeted and target image adversarial examples

These non-targeted images are intended to deceive the original classification but do not have
a specific class in mind. Therefore, the original image is displayed on the left, while the non-

123
Multimedia Tools and Applications

targeted adversarial examples are on the right. Furthermore, both images look very similar.
Moreover, both are gondolas.
Table 4 compares the performance of various attack algorithms on the MNIST dataset.
The adversarial attack accuracy ratio indicates the extent of perturbation introduced when
applying these attacking algorithms. Here are the results: FGSM attack achieves an accuracy
of 97.2% with a perturbation ratio of 5.87%. C&W algorithm accuracy after a defense attack
using the PCA Model is 82.98%, with a 1.60% perturbation ratio. DeepFool accuracy after
defense through denoising is 97.53%, with a 1.66% perturbation ratio. Our method achieves
98.26% attack accuracy with a 7.8% attack success rate (ASR). The highlighted values in
the table represent the highest accuracy and corresponding attack success rate for all attack
algorithms achieved after applying the Trans-IFFT-FGSM method, as shown in Fig. 7.
Moreover, our work addressed the curiosity of researchers seeking further insights into
adversarial examples on ImageNet and MNIST datasets. Therefore, future work could explore
various aspects of adversarial examples. For example, effective attack strategies, robust fea-
ture extraction evaluation metrics for harmful features, and the design of more robust defense
mechanisms.

6 Conclusion

In this study, we employ a gradient refinement approach to others. To introduce adversarial

perturbations that are transferable and less perceptible. Our proposed method, Trans-IFFT-
FGSM is designed to be compatible with a wide range of attack techniques by incorporating
input diversity. Therefore, extensive tests have been conducted to validate the effectiveness
of our approach. Trans-IFFT-FGSM has demonstrated impressive performance compared to
the state-of-the-art DNNs method. On the one hand, It achieved a notable improvement of
0.73% in attack success rate (ASR) compared to other well-known algorithms with higher
accuracy. Therefore, our work contains various aspects, such as adversarial perturbation injec-
tion and defense denoiser method, non-targeted and targeted adversarial attacks, applying
techniques Inverse Fast Fourier Transform (IFFT), denoising via autoencoders, Fast Gradi-
ent Sign Method (FGSM), Projected Gradient Descent (PGD), Carlini and Wagner attack
(C&W), and DeepFool. However, our proposed model consistently outperformed state-of-
the-art methods in our experiments to achieve an average accuracy rate of 98.26%. Therefore,
these experiments highlight the potential for improving the efficiency and robustness of the
design through adversarial attacks on our novel developed model.
Data Availability Due to security and ethical policies, data will be available to the corresponding author upon
request.

Declarations

Conflict of interests The authors have no conflict of interest.

References
1. Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: Bengio
Y, LeCun Y (eds) ICLR

123
 Multimedia Tools and Applications

2. Krizhevsky A, Sutskever I, Hinton GE (2012) "Imagenet classification with deep convolutional neural
networks." Advances in neural information processing systems 25
3. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties
of neural networks. arXiv:1312.6199
4. Bhattad A, Chong MJ, Liang K, Li B, Forsyth DA (2020) Unrestricted adversarial examples via semantic
manipulation. In: ICLR
5. Miller B, Kantchelian A, Afroz S, Bachwani R, Dauber E, Huang L, Tschantz MC, Joseph AD, Tygar
JD (2014) Adversarial active learning. In: Proceedings of the 2014 workshop on artificial intelligent and
security workshop (pp. 3-14)
6. Dalvi N, Domingos P, Mausam, Sanghai S, Verma D (2004) Adversarial classification. In: Proceedings of
the tenth ACM SIGKDD international conference on Knowledge discovery and data mining (pp. 99-108)
7. Biggio B, Corona I, Maiorca D, Nelson B, Šrndić N, Laskov P, ... , Roli F (2013) Evasion attacks against
machine learning at test time. In: Machine Learning and Knowledge Discovery in Databases: European
Conference, ECML PKDD 2013, Prague, Czech Republic, September 23-27, 2013, Proceedings, Part III
13 (pp. 387-402). Springer Berlin Heidelberg
8. Zhu C, Byrd RH, Lu P, Nocedal J (1997) Algorithm 778: L-BFGS-B: Fortran subroutines for large-scale
bound-constrained optimization. ACM Trans Math Softw (TOMS) 23(4):550–560
9. Akhtar N, Mian A (2018) Threat of adversarial attacks on deep learning in computer vision: A survey.
IEEE Access 6:14410–14430
10. Chen PY, Zhang H, Sharma Y, Yi J, Hsieh CJ (2017) Zoo: Zeroth order optimization based black-box
attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM
workshop on artificial intelligence and security (pp. 15-26)
11. Miyato T, Dai AM, Goodfellow I (2016) Adversarial training methods for semi-supervised text classifi-
cation. arXiv:1605.07725
12. Vivek BS, Venkatesh Babu R (2020) "Single-step adversarial training with dropout scheduling." 2020
IEEE/CVF conference on computer vision and pattern recognition (CVPR). IEEE
13. Chen PY, Zhang H, Sharma Y, Yi J, Hsieh CJ (2017) Zoo: Zeroth order optimization based black-box
attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM
workshop on artificial intelligence and security (pp. 15-26)
14. Tu CC, Ting P, Chen PY, Liu S, Zhang H, Yi J, ... Cheng SM (2019) Autozoom: Autoencoder-based
zeroth order optimization method for attacking black-box neural networks. In: Proceedings of the AAAI
conference on artificial intelligence, vol. 33, no. 01, pp. 742–749
15. Brendel W, Rauber J, Bethge M (2017) Decision-based adversarial attacks: Reliable attacks against black-
box machine learning models. arXiv:1712.04248
16. Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, Huang Z, Karpathy A, Khosla A, Bernstein
M, Berg AC, Li F-F (2015) Imagenet large scale visual recognition challenge. Int J Comput Vis
17. Dong Y, Liao F, Pang T, Su H, Zhu J, Hu X, Li J (2018) Boosting adversarial attacks with momentum.
In: CVPR
18. Hafemann LG, Sabourin R, Oliveira LS (2019) Characterizing and evaluating adversarial examples for
offline handwritten signature verification. IEEE Trans Inf Forensics Secur 14(8):2153–2166
19. Wang R, Guo Y, Yang R, Wang Y (2021) Exploring transferable and robust adversarial perturbation
generation from the perspective of network hierarchy. arXiv:2108.07033
20. Ehrlich E, Gaedke U (2018) Not attackable or not crackable-How pre-and post-attack defenses with
different competition costs affect prey coexistence and population dynamics. Ecol Evol 8(13):6625–6637
21. Xie C, Wang J, Zhang Z, Ren Z, Yuille A (2017) Mitigating adversarial effects through randomization.
arXiv:1711.01991
22. Guo C, Rana M, Cisse M, Van Der Maaten L (2017) Countering adversarial images using input transfor-
mations. arXiv:1711.00117
23. Song Y, Kim T, Nowozin S, Ermon S, Kushman N (2017) Pixeldefend: Leveraging generative models to
understand and defend against adversarial examples. arXiv:1710.10766
24. Buckman J, Roy A, Raffel C, Goodfellow, I (2018) Thermometer encoding: One hot way to resist adver-
sarial examples. In: International conference on learning representations
25. Samangouei P, Kabkab M, Chellappa R (2018) Defense-gan: Protecting classifiers against adversarial
attacks using generative models. arXiv:1805.06605
26. Ma X, Li B, Wang Y, Erfani SM, Wijewickrema S, Schoenebeck G, Song D, Houle ME, Bailey J (2018)
Characterizing adversarial subspaces using local intrinsic dimensionality. arXiv:1801.02613
27. Dhillon GS, Azizzadenesheli K, Lipton ZC, Bernstein J, Kossaifi J, Khanna A, Anandkumar A (2018)
Stochastic activation pruning for robust adversarial defense. arXiv:1803.01442
28. Cihang X, Zhishuai Z, Yuyin Z, Song B, Jianyu W, Zhou R, Alan Y (2019) Improving transferability of
adversarial examples with input diversity. In: CVPR, IEEE

123
Multimedia Tools and Applications

29. Yinpeng D, Tianyu P, Hang S, Jun Z (2019) Evading defenses to transferable adversarial examples by
translation-invariant attacks. In: CVPR
30. Heng W, Zhou S, Jiang T (2018) Harmonic adversarial attack method. arXiv:1807.10590
31. Guo C, Frank JS, Weinberger KQ (2018) Low frequency adversarial perturbation. arXiv:1809.08758
32. Su J, Vargas D, Sakurai K (2019) One pixel attack for fooling deep neural networks. IEEE Trans Evol
Comput. https://doi.org/10.1109/tevc.2019.2890858
33. Chithaluru P, Al-Turjman F, Stephan T, Kumar M, Kumar S (2023) An Optimized Bio-inspired Localiza-
tion Routing Technique for Sustainable IIoT Networks & Green Cities. Sustain Cities Soc 97:104722
34. Aggarwal A, Rani A, Kumar M (2020) A robust method to authenticate car license plates using segmen-
tation and ROI based approach. Smart Sustain Built Environ 9(4):737–747
35. Kumar M, Srivastava S, Uddin N (2019) Forgery detection using multiple light sources for synthetic
images. Aust J Forensic Sci 51(3):243–250
36. Zhou Y, Hu X, Wang L, Duan S, Chen Y (2018) Markov chain based efficient defense against adversarial
examples in computer vision. IEEE Access 7:5695–5706
37. Wu F, Xiao L, Yang W et al (2020) Defense against adversarial attacks in traffic sign images identification
based on 5G. J Wireless Com Network 2020 173. https://doi.org/10.1186/s13638-020-01775-5
38. Feinman R, Curtin RR, Shintre S, Gardner AB (2017) Detecting Adversarial Samples from Artifacts.
CoRR. arXiv:1703.00410
39. Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Swami A (2017) In: Proceedings of the 2017
ACM on Asia Conference on Computer and Communications Security. Practical black-box attacks against
machine learning, 2017, pp. 506–519
40. Lin J, Njilla LL, Xiong K (2022) Secure machine learning against adversarial samples at test time.
EURASIP J on Info Security 1. https://doi.org/10.1186/s13635-021-00125-2
41. Haleta P, Likhomanov D, Sokol O (2021) Multitask adversarial attack with dispersion amplification.
EURASIP J on Info Security, 2021, 10. https://doi.org/10.1186/s13635-021-00124-3
42. Samriya JK, Tiwari R, Cheng X, Singh RK, Shankar A, Kumar M (2022) Network intrusion detection
using ACO-DNN model with DVFS based energy optimization in cloud framework. Sustain Comput:
Inform Syst 35:100746
43. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A (2017) Towards deep learning models resistant to
adversarial attacks. arXiv:1706.06083
44. Zhang Z, Sabuncu M (2018) Generalized cross entropy loss for training deep neural networks with noisy
labels. Advances in neural information processing systems 31
45. Bruno OP, Paul J (2022) Two-dimensional Fourier continuation and applications. SIAM J Sci Comput
44(2):A964-92
46. Zheng J, Su T, Zhu W, He X, Liu QH (2014) Radar high-speed target detection based on the scaled inverse
Fourier transform. IEEE J Sel Top Appl Earth Obs Remote Sens 8(3):1108–19
47. Alex K, Ben H, Goodfellow I (2017) Defense against adversarial attack. NIPS
48. LeCun Y, Cortes C, Burges C (2010) MNIST Handwritten Digit Database. AT & T Labs. vol 2. http://
yann.lecun.com/exdb/mnist
49. Liu X, Li Y, Wu C, Hsieh CJ (2018) Adv-bnn: Improved adversarial defense through robust bayesian
neural network. arXiv:1810.01279
50. Sehar U, Naseem ML (2022) How deep learning is empowering semantic segmentation: Traditional and
deep learning techniques for semantic segmentation: A comparison. Multimed Tools Appl 81(21):30519–
44
51. Hu X, Jing L, Sehar U (2022) Joint pyramid attention network for real-time semantic segmentation of
urban scenes. Appl Intell 52(1):580–94

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under
a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted
manuscript version of this article is solely governed by the terms of such publishing agreement and applicable
law.

123