Consensus Adversarial Defense Method Based on Augmented Examples

Deep learning has been used in many computer-vision-based industrial Internet of Things applications. However, deep neural networks are vulnerable to adversarial examples that have been crafted specifically to fool a system while being imperceptible to humans. In this article, we propose a consensus defense (Cons-Def) method to defend against adversarial attacks. Cons-Def implements classification and detection based on the consensus of the classifications of the augmented examples, which are generated based on an individually implemented intensity exchange on the red, green, and blue components of the input image. We train a CNN using augmented examples together with their original examples. For the test image to be assigned to a specific class, the class occurrence of the classifications on its augmented images should be the maximum and reach a defined threshold. Otherwise, it is detected as an adversarial example. The comparison experiments are implemented on MNIST, CIFAR-10, and ImageNet. The average defense success rate (DSR) against white-box attacks on the test sets of the three datasets is 80.3%. The average DSR against black-box attacks on CIFAR-10 is 91.4%. The average classification accuracies of Cons-Def on benign examples of the three datasets are 98.0%, 78.3%, and 66.1%. The experimental results show that Cons-Def shows a high classification performance on benign examples and is robust against white-box and black-box adversarial attacks.


I. INTRODUCTION
C ONVOLUTIONAL neural networks (CNNs) have achieved state-of-the-art results in numerous computer vision tasks [1] and have been involved in many industrial Internet of Things (IIoT) topics, such as mobile target tracking [2], intrusion detection [3], and edge computing [4]. However, CNN models are vulnerable to adversarial examples that are usually crafted by injecting small perturbations into benign examples [1], [5]. Although small perturbations are imperceptible to humans, they can fool CNN models and pose a serious threat to critical security applications [5]. Recently, several studies have focused on security topics in IIoT [2], [6], and some studies have crafted adversarial examples to attack IIoT systems [7]. Adversarial defense is a crucial concern in CNN applications.
Several adversarial attack approaches have been designed to fool CNN models in the field of image classification and recognition. Adversarial attacks can be launched either in the digital domain [8]- [14] or in the physical domain [15]. Digital attacks can be launched from four bases: 1) gradient-based attacks, such as fast gradient sign method (FGSM) [8], projected gradient descent (PGD) [9], and DeepFool [10]; 2) optimization search-based attacks, such as Carlini and Wagner (C&W) attacks [11] and Jacobian-based saliency map attacks (JS-MAs) [12]; 3) network-based attacks [13]; and, 4) randomnessbased attacks [14]. Although digital attacks are complicated, many of them involve gradients. C&W attack employs gradients for optimization. The training of network-based attacks usually depends on the backpropagation of the gradient [13]. For randomness-based attacks, gradients can also be employed to design adversarial attacks [14].
Since adversarial attacks typically craft adversarial examples based on gradients, we intend to design a gradient-based defense method that efficiently utilizes attack results. The gradients are embedded in the images. Since adversarial attacks are inevitable, we do not aim to prevent them but induce them to produce contradictory results. Motivated by this idea, the following three conditions should be addressed. First, we can expand an input image to multiple images with varying gradients. Second, the varying gradients can induce different classifications. Finally, if the second condition is addressed, how do we use heterogeneous classifications on augmented examples to defend against adversarial attacks? Hence, we propose a consensus defense (Cons-Def) method to address these three conditions in this article 1 . Cons-Def contains two modules: augmentation training and consensus testing. First, we augment the training set to train a CNN model in which every image generates multiple augmented images based on intensity exchange. Subsequently, we implement consensus decision-making on a group of augmented test examples to defend against adversarial attacks, that is, the test image is classified into a class supported by the classification of the supermajority if the number of supports is not less than a threshold. Otherwise, it is determined to be an adversarial example. Fig. 1 illustrates the defense mechanism used in this article. Fig. 1(a) shows a benign example. Fig. 1(b) and (c) shows corresponding FGSM perturbation and adversarial example, respectively. The red module in Fig. 1 shows the test results for Cons-Def. The blue module shows FGSM attacks on the augmented examples. To show the details, the perturbations in Fig. 1 are translated to be nonnegative and then magnified by 10. The augmented perturbations in Fig. 1(d) vary to FGSM perturbations in Fig. 1 The main contributions of this article are summarized as follows.
1) We propose a consensus decision-making method based on a group of augmented examples to defend against adversarial attacks. We expand the input image to augmented images with varying gradients. Augmented perturbations are usually different from adversarial perturbations; therefore, CNN models cannot easily be fooled on all the augmented examples.
2) We propose a strategy to implement adversarial classification and detection simultaneously. Classification and detection are two popular adversarial defense tasks. Based on the literature, defense studies usually aim for adversarial classification or detection. Herein, we implement adversarial classification and detection simultaneously to improve defense performance.
The rest of this article is organized as follows. Related works are presented in Section II. In Section III, the preliminaries and our proposed framework are introduced. Cons-Def algorithms are presented in Section IV. The comparison experiments are presented in Section V. Finally, Section VI concludes this article.

A. Adversarial Attacks
Many adversarial attack techniques have been developed to fool CNNs for computer vision tasks. Generally, adversarial attacks can be categorized as white-box or black-box attacks [1], [5], [14]. In the white-box case, the attacker has comprehensive knowledge of the model and the training data. In a black-box attack, the attacker does not have knowledge of the model. Although attacks can be launched in the physical domain [15], we focus on attacks launched in the digital domain.
1) White-Box Attacks: Several white-box attack methods have been established. Since we focus on adversarial defense, the following widely used attacks are employed for testing in this article.
FGSM [8]: FGSM is a classical gradient-based attack. The FGSM generates adversarial examples based on the gradient of the loss function with respect to the input image. FGSM inversely changes the intensities of the pixels in the input image to achieve its purpose. Some pixels with low intensities are perturbed with positive perturbations. Meanwhile, some pixels with high intensities are perturbed by negative perturbations.
C&W attack [11]: Instead of leveraging training loss, Carlini, and Wagner designed a loss function and optimized it to craft adversarial examples. C&W attacks are widely regarded as one of the strongest attacks and are usually employed in the defense literature for comparison.
JSMA [12]: JSMA uses an adversarial saliency map to find the input pixels with the greatest impact on the specific output of the target model. It searches several critical pixels with large weights using loop technology. JSMA is usually much slower than the FGSM and C&W attacks.
PGD [9]: PGD iteratively applies FGSM multiple times with a small step size and can be considered an extension of FGSM. PGD attacks are typically much stronger than FGSM attacks.
DeepFool [10]: DeepFool iterates a gradient-based increment to obtain adversarial examples. The adversarial example is linearly iterated by the initial input image.
2) Black-Box Attacks: Within the scope of adversarial attacks, black-box attacks are usually produced by transferability between architectures. Adversarial examples generated on one classifier can sometimes cause another classifier to produce misclassifications, even if the classifier has a different architecture or is trained on disjoint datasets [1], [5]. A black-box attack produces adversarial examples on a known classifier (a source model) and transfers them to a target classifier, where the source attack does not know the information of the target model.
1) Training-Based Defenses: Goodfellow et al. [8] developed adversarial training by injecting adversarial examples into the training set to enhance the robustness of the CNN model. Kannan et al. [16] proposed an adversarial logit pairing (ALP) method that encourages logits for pairs of examples to be similar. Some studies used learning-based methods to generate adversarial examples and design defense methods, such as defense with conditional generative adversarial networks (CGAN) [17]. By combining adversarial training in shallow layers and an attention weight-based model, Chen et al. [1] proposed an adversarial defense method by refocusing on critical areas and strengthening object contours (RCA-SOC). Zhu et al. [18] proposed a dual-domain-based adversarial defense (DD-AD) method based on a conditional variational autoencoder and Bayesian network. Mustafa et al. [5] proposed a deeply supervised discriminative learning (DSDL) method to defend against adversarial attacks. In this article, we trained models based on augmented examples.
2) Gradient-Based Defenses: Since many adversarial attacks are launched based on gradients, several methods defend against adversarial attacks based on gradients. Dabouei et al. [19] proposed a joint gradient phase and magnitude regularization (GPMR) method to explore practical defense. However, GPMR appears to be sensitive to the attack parameters. Anish et al. [20] summarized defense based on obfuscated gradients into three types: shattered gradients, stochastic gradients, and exploding and vanishing gradients. Defenses relying on obfuscated gradients focus on gradient masking, which causes attackers have no useful gradients [20]. Cons-Def launches adversarial defense using augmented images with varying gradients. Heterogeneous gradients are useful for Cons-Def.
3) Input and Output-Based Defenses: Contrary to injecting adversarial perturbation for adversarial training, several studies apply image transformation, such as JPEG compression [21], PixelDefend [22], total variance minimization (TVM) [23], and the sparse transformation layer (STL) method [24], in adversarial defense. PixelDefend first purifies input images and then feeds them to the classifier for classification [22]. TVM is a compressed sensing approach that combines pixel dropout with variation minimization [23]. STL first projects input images into a quasi-natural image space and then feeds the projections to the networks [24]. Some studies implemented adversarial defense based on the output, such as feature squeezing (Feat-Squ) [25]. Feat-Squ detects an adversarial example by comparing its prediction on the original sample with that of the sample after squeezing [25]. In our design, the classifications on the augmented adversarial images are usually heterogeneous. We use the consensus of the classifications on the augmented examples to implement adversarial defense.

4) Knowledge-Based Defenses:
Many studies have implemented adversarial defense based on statistical knowledge. Defensive distillation extracts the knowledge of class probabilities to reduce the success rate of adversarial sample crafting [26]. Liu et al. [27] proposed an enhanced spatial rich model to implement adversarial detection, in which steganalysis was applied to estimate the probability of modifications caused by adversarial attacks.

A. Preliminaries
Generally, CNN is successively made of several convolutional and pooling layers, followed by one or more fully connected (FC) layers and an output layer. Fig. 2 shows a CNN architecture that is suitable for classification tasks. In this article, we denote the CNN-based image classification model as F with parameters θ.
Adversarial attacks are typically generated by optimization [5], shown as follows: where δ is the perturbation of the input image x, ε ≥ 0 is a given small constant, L is a proper loss function, and • is a norm operator. An attacker explores the adversarial sample x adv = x + δ locally around x but can change the prediction of the classifier as much as possible. Many defensive techniques against adversarial attacks have been proposed recently [8], [16]- [27]. Based on the evaluation metrics, they can be divided into two categories: one is classification-based defense, which aims to correctly classify adversarial examples. The other is a detection-based defense that aims to distinguish clean and adversarial examples.
where N adv is the number of adversarial examples, n adv (l p = l T ) is the number of adversarial examples correctly classified, and n adv (d = 1) is the number of adversarial examples correctly detected.
Since an input example may also be a benign example, the defense accuracy on benign examples is also evaluated in the literature. Some adversarial detection methods implement evaluations using true-positive rate and false-positive rate (FPR). Generally, FPR is reported on benign examples. The accuracy on benign examples denoted as acc is shown as follows: where N ben is the number of benign examples, and n ben (l p = l T ) is the number of benign examples correctly classified.

B. Framework Overview
The main task of our proposed Cons-Def method is to implement classification and detection based on the consensus of the classifications on the augmented examples. As shown in Fig. 3, the outline of our proposed Cons-Def method comprises two modules. The first is augmentation training, and second is consensus testing.
Let S = {x 0 , x 1 , . . . , x N −1 } be a set composed of N training images, and its label set be Y = {y 0 , y 1 , . . . , y N −1 }. Take an RGB image x as an example, let x (0) , x (1) , and x (2) be the red (R), green (G), and blue (B) component images of x, respectively. Fig. 3(a2)]. For every component image, we arrange its intensities from low to high and generate an intensity list. We then split every list into 2 k blocks, where k = k 1 , k 1 + 1, . . . , k 1 + s − 1, and obtain s intensity exchange lists, as shown by the intensity exchange module in Fig. 3(a3). Taking the split k = k 1 as an example, let the block length of the split be l 1 . The ith intensity in the first block is exchanged with the ith intensity in the second block, i = 1, 2, . . . , l 1  Finally, defense results are obtained, as shown in Fig. 3(b6). If the vertical coordinate of the histogram peak is not less than a given threshold T c , the input image is classified into the class at the peak. Otherwise, it is detected as an adversarial input.

IV. DEFENSE ALGORITHMS
In this section, we present the details of the implementation of the proposed method. First, the algorithms used for training and testing are presented. We then analyze the computational complexity of our method.

A. Augmentation Training
Adversarial attacks usually craft perturbations based on gradients. The main purpose of data augmentation is to produce new images such that their gradients are opposite to each other. To address this, we use intensity exchange technology to augment the training set. Let The augmentation method on the training set is shown in Algorithm 1, where S A is the augmented image set and Y A is the corresponding label set; Z s 3 N ×H×W ×3 and Z s 3 N are integer spaces in the size of is the augmentation module on a component image, as shown in Algorithm 2, and [•] is the least integer function.
After the training set is augmented using Algorithms 1 and 2, we combine the original and augmented examples to train the CNN model, shown as follows: where S T is the set of training images for Cons-Def, and Y T is the label set corresponding to S T .

B. Consensus Testing
Our defense scheme leverages the consensus on the predictions of augmented examples. The test image x [see Fig. 3(b1)] may be a benign or adversarial example. Let x pc be the padding and cropping image of x [see Fig. 3(b2)], and the augmented images of x pc be x A {x Data extraction: i , x i ) ∈ S, y i ∈ Y 4: for j = 0, 1, 2 do 5: Initialization: T end if 10: end for 11: end for 12: for j = 0, 1, 2 do 13: for t = 0 : s − 1 do 14: end for 17: end for 18: for r = 0 : s − 1 do 19: for g = 0 : s − 1 do 20:  Fig. 3(b3)]. We implement classifications on x A using the model obtained in Fig. 3(a7). Let the predicted labels on x A bê Y A {ŷ 0 ,ŷ 1 , . . . ,ŷ s 3 −1 } [see Fig. 3(b4)]. Furthermore, letŶ be composed of different elements ofŶ A , i.e., andn i be the number of occurrences ofỹ i inŶ A [see Fig. 3(b5)], i.e.,n i = whereŷ k ∈Ŷ A . Based on (8) and (9), the inference scheme is implemented as follows:ŷ  Classify examples in x A to produceŶ A using the trained model 3: ObtainŶ usingŶ A 4: Count the occurrences of the predicted labels using (9) 5: Produce classification using (10) whereŷ x is the inferred classification, T c is a given threshold, and y x = −1 shows that the test image x is inferred as an adversarial example. In detail, the test procedure is shown in Algorithm 3.

C. Complexity Analysis
We analyze the algorithm complexity to show the time efficiency. Since Cons-Def trains models offline, the runtime of the test is analyzed. As shown in Algorithm 3, the test algorithm mainly contains two modules: input augmentation and model classification. In the augmentation stage, three intensity lists are first obtained, and the operations on every list are approximated to W HL. Subsequently, every component image is expanded to s augmented images, and the operations of every augmentation implemented in Algorithm 2 are approximated to W HL. The operations involved in input augmentation are approximated as 3(s + 1)W HL. Since Cons-Def implements classifications on all augmented images, the operations on the classifications are approximated as s 3 C, where C is the number of computations of the classification on one image. Overall, the operations of Cons-Def can be approximated as 3(s + 1)W HL + s 3 C.

V. EXPERIMENTS
In this section, experiments are implemented to demonstrate the defense performance of the proposed Cons-Def method. We first train models using augmented datasets and then implement classification and adversarial detection on corresponding test sets. We use a computer with an i5-7500 3.4 GHz CPU, 32 GiB system memory, and a GeForce GTX 1080Ti GPU to conduct the experiments. The experiments are implemented based on the CleverHans package [28] using TensorFlow-gpu-1.12.0.

A. Setup
Datasets: In this article, experiments are conducted on MNIST [29], CIFAR-10 [30], and ImageNet [31]. MNIST consists of 70 k gray images of handwritten digits in classes 0 to 9. The MNIST images, including 60 k training images and 10 k testing images, are 28 × 28 pixels. The CIFAR-10 dataset consists of 60 k 32 × 32 pixel RGB images, including 50 k images for training and 10 k images for testing. Since ImageNet is a large-scale dataset, many studies have selected a subset for defense tests [23]- [25]. In this article, experiments on ImageNet are conducted on ImageNet-10, which is extracted from the first ten classes in the dataset, e.g., tench, goldfish, great white shark, and tiger shark. ImageNet-10 consists of 13 k training images and 500 test images.
Networks: To implement the experiments on the datasets, we adopt six models with different convolutional structures. The architecture on MNIST, denoted as CNN-M, is mainly structured in three convolutional layers. This is identical to the basic model in the CleverHans package. For the CIFAR-10 dataset, we train three models: CNN-DT used in defensive distillation [26], ResNet-50 [32], and VGG-16 used in PixelDefend [22]. The CNN-DT network is structured into four convolutional layers, two pooling layers, and two FC layers. For convenience, we denote CNN-DT as 4C+2P+2FC and use similar notations in the following sections. For ImageNet-10, three models are employed in the experiments: ResNet-50 [32], ResNet-101 [32], and Inception-v3 used in RCA-SOC [1]. The training parameters are summarized in Table I,  The momentum is set to 0.9. The learning rate is initialized at 0.045 and decayed every two epochs at an exponential rate of 0.94.
Metrics: Because a robust defense method should show high accuracy on benign and adversarial examples, the CA and acc shown in (2) and (4) are both reported in our comparison experiments. Moreover, our proposed method could classify adversarial examples and detect adversarial attacks, and we use the defense success rate (DSR) to evaluate the defense ability against adversarial attacks, shown as follows: (11) where N adv , n adv (l p = l T ), and n adv (d = 1) are given in (2) and (3), respectively.

B. Parameter Tuning
Our proposed method includes three main parameters. The intensity list on the component image is first divided into 2 k , k = k 1 , k 1 + 1, . . . , k 1 + s − 1, splits to augment examples. The method then uses the threshold T c to implement classification and discrimination in the test stage (see Fig. 3). Clearly, k 1 , s, and T c are the three parameters of our method. For convenience, we fix k 1 = 3 and use the one-factor-at-a-time method to tune the parameters s and T c on CIFAR-10.  DSR † = n ben (l p = l T ) + n adv (l p = l T ) + n adv (d = 1) N adv + N ben (12) where the notations are shown in (2)-(4). For parameter T c , we fix parameter s at 4, and select nine levels 32, 36, . . . , 64 for the experiments. Table II lists the ablation experiments on the threshold T c . The DSR † results in Table II are reported on the CIFAR-10 test set using Model 64 . The perturbation parameters of the FGSM and PGD are both set to 0.03, i.e., ε F = ε P = 0.03. The number of iterations for PGD is set to 10 with a step size of ε P /4. The number of iteration steps for C&W is set to 1000 with a learning rate of 0.01. The constant parameter c for the C&W attack is set to 10. The parameter of the maximum distortion percentage for JSMA is set as γ = 0.1. The number of maximum iterations for DeepFool is set to it DF = 50, where DeepFool is abbreviated as DFool in Table II. As summarized in Table II, T c = 60 achieves the highest DSR † of 80.0%. In this article, T c = 60 is chosen to defend against adversarial attacks on Model 64 .

C. Defense Against White-Box Attacks
For MNIST, we train the models on a network with the structure of 3C+1FC. The clean model is trained using 60 k training  Table I. We report the robustness of the model using a standard perturbation for FGSM and PGD [5], i.e., ε F and ε P are both set to 0.3 on the MNIST test set. The attack parameters for C&W, JSMA, and DeepFool are the same as those listed in Table II.  Table III presents the comparison experiments against FGSM, C&W, JSMA, PGD, and DeepFool attacks on the MNIST test set. The accuracies in the "clean" row are obtained on the test set using the clean model without any defense strategy. Since our method can simultaneously classify and detect adversarial examples, both CA and DSR are summarized in Table III, where Res20 is the abbreviation for ResNet-20. The defense threshold T c is set to 5. The test experiments on JSMA are implemented on the first 1000 images of the test set.
Cons-Def is robust to adversarial attacks. Although the comparison results in Table III result Table I.  Tables IV and V list the comparison results on CIFAR-10 and ImageNet-10, respectively. The perturbations for the FGSM and PGD are both set to 0.03 [5], i.e., ε F = ε P = 0.03. The attack  parameters for C&W, JSMA, and DeepFool are the same as those listed in Table II. Since JSMA requires more memory than what is available to run, we could not test it on the ResNet, VGG-16, and Inception-v3 networks. From Table IV, our method shows high performance in adversarial defense. The results in the first three lines in Table IV indicate that clean models without a defense strategy are heavily attacked. Compared to clean models, Cons-Def achieves high performance on CA and DSR. This result suggests that Cons-Def is effective against adversarial attacks. Our experiments on the CNN-DT, ResNet-50, and VGG-16 networks show that the same attack with the same parameters could drive different networks to produce significantly different accuracies. The results in Table IV are obtained using three types of structures. The results of Cons-Def-CNN are compared with those of basic convolutional networks, i.e., JPEG compression (JPEG-comp) [21] and GPMR [19]. The average CA of GPMR against the four attacks is 43.2%, which is smaller than the 52.5% for the Cons-Def-CNN. Furthermore, because Cons-Def-CNN could detect adversarial examples, the CAs of JPEG-comp and GPMR are smaller than the DSRs of Cons-Def-CNN. We compare the Cons-Def-Res50 with ADP 2,0.5 [33], CGAN [17], and DSDL [5]. The average CAs of ADP 2,0.5 and DSDL are 34.8% and 44.1%, respectively.  [23], and STL [24]. Cons-Def-Res50 shows its superiority to TVM and image quilting in terms of CA and DSR. The DSRs of Cons-Def-Res50 are all greater than the CAs of TVM, image quilting, and STL except for the case of STL on FGSM. For Inception-v3, the DSRs of Cons-Def-V3 are all higher than the CAs of ALP [16] and RCA-SOC [1].
Overall, the average CA and DSR of Cons-Def on the three datasets are 48.3% and 80.3%, respectively. Although Cons-Def is not sufficiently strong for classification, it is robust to DSR. Comparison experiments on MNIST, CIFAR-10, and ImageNet-10 suggest that Cons-Def shows superiority against white-box attacks.

D. Defense Against Black-Box Attacks
In this section, we present defense results against black-box attacks on CIFAR-10. We study the transferability of the CNN-DT, ResNet-50, and VGG-16 models. In this article, FGSM, C&W, PGD, and DeepFool are employed for black-box attacks. The parameters of the attacks are the same as those listed in Table IV.

E. Accuracy on Benign Examples
In this section, we show the resulting accuracies on benign examples in Table VII using (4). The accuracies in the "clean" row are obtained on the clean model without any defense strategy. The models in the "augmented" row are trained on our augmented training sets, and the accuracies in the row are tested with original test examples without augmentation. The accuracies in the row of Cons-Def in Table VII result from the augmented models and our defense scheme.
Cons-Def achieves high performance on benign examples. As summarized in Table VII, the average accuracies of the clean, augmented, and Cons-Def models are 82.5%, 83.5%, and 75.9%, respectively. Compared to the clean models, the average improvement in the accuracies of the augmented models is 1.0%. Intensity-based data augmentation is advantageous for classification purposes. The average accuracies of the clean model on the three datasets are 99.3%, 88.8%, and 70.7%, respectively. The average accuracies of Cons-Def on the three datasets are 98.0%, 78.3%, and 66.1%, respectively. Correspondingly, the average losses of Cons-Def on the three datasets are 1.3%, 10.4%, and 4.5%, respectively. Overall, Cons-Def correctly classified most benign examples, and the deficiency of our method on the benign examples is limited in an acceptable range. Cons-Def exhibits high performance on benign examples.

F. Robustness Experiments
Adversarial examples are crafted using attack parameters. Since different parameters produce different attack powers, we test the robustness against these parameters. Fig. 5 shows the defense results against white-box attacks on CIFAR-10. The experimental parameters of FGSM, C&W, PGD, and Deep-Fool are ε F , c, ε P , and it DF , respectively. To test the robustness of Cons-Def, five levels are chosen for the four perturbation parameters: ε F = ε P = 0.01, 0.03, 0.1, 0.3, 0.8, c = 0.01, 0.1, 1.0, 10, 1000, and it DF = 1, 2, 10, 50, 500. The blue  and red bars indicate classification and detection accuracies, respectively.
As shown in Fig. 5(b) and (d), Cons-Def is robust to adversarial examples crafted by C&W and DeepFool. Although the DSRs shown in Fig. 5(a) are distributed over a large range, the red bars in Fig. 5(a) indicate that Cons-Def is robust against adversarial detection. As shown in Fig. 5(c), Cons-Def is not robust to PGD attacks.

G. Time Complexity
In this section, we evaluate the runtime of Cons-Def on the MNIST, CIFAR-10, and ImageNet-10 test sets. Table VIII lists the average defense time of Cons-Def. The results of the CPU and GPU show the augmentation and model test times per image, respectively. As summarized in Table VIII, the time cost for the different models ranges from 0.003 to 0.738 s per image. The runtime is related to the size of the data examples. A larger example often requires more processing time. The average defense speed of ResNet-50 and ResNet-101 against the adversarial input on ImageNet-10 with a size of 224 × 224 is approximately 2 fps. For Inception-v3, the input is in size of 299 × 299, and the defense speed is less than 2 fps. Cons-Def is less efficient in terms of the runtime.

VI. CONCLUSION
In this article, a consensus defense method was proposed. The experimental results showed that the structure of the network plays an important role in an attack. The same white-box attack with the same parameters can drive different networks to produce significantly different accuracies. For black-box attacks, the attack performance varies significantly with respect to the structure of the source network. Therefore, we plan to study the propagation errors of perturbations in our future work.