Researchers have tested a new way to improve artificial neural networks defense in AI systems. The method is expected to protect sensitive AI-based applications from attackers.
For the first time, researchers augmented a neural network’s inner layers with a process involving random noise to improve its resilience.
Tokyo/Japan – Most artificially intelligent systems are based on neural networks, algorithms inspired by biological neurons found in the brain. These networks can consist of multiple layers, with inputs coming in one side and outputs going out of the other. The outputs can be used to make automatic decisions, for example, in driverless cars. Attacks to mislead a neural network can involve exploiting vulnerabilities in the input layers, but typically only the initial input layer is considered when engineering a defense. For the first time, researchers augmented a neural network’s inner layers with a process involving random noise to improve its resilience.
Artificial intelligence (AI) has become a relatively common thing; chances are you have a smartphone with an AI assistant or you use a search engine powered by AI. While it’s a broad term that can include many different ways to essentially process information and sometimes make decisions, AI systems are often built using artificial neural networks (ANN) analogous to those of the brain. 0041nd like the brain, ANNs can sometimes get confused, either by accident or by the deliberate actions of a third party. Think of something like an optical illusion — it might make you feel like you are looking at one thing when you are really looking at another.
The difference between things that confuse an ANN and things that might confuse us, however, is that some visual input could appear perfectly normal, or at least might be understandable to us, but may nevertheless be interpreted as something completely different by an ANN.
A trivial example might be an image-classifying system mistaking a cat for a dog, but a more serious example could be a driverless car mistaking a stop signal for a right-of-way sign. And it’s not just the already controversial example of driverless cars; there are medical diagnostic systems, and many other sensitive applications that take inputs and inform, or even make, decisions that can affect people.
As inputs aren’t necessarily visual, it’s not always easy to analyze why a system might have made a mistake at a glance. Attackers trying to disrupt a system based on ANNs can take advantage of this, subtly altering an anticipated input pattern so that it will be misinterpreted, and the system will behave wrongly, perhaps even problematically. There are some defense techniques for attacks like these, but they have limitations. Recent graduate Jumpei Ukita and Professor Kenichi Ohki from the Department of Physiology at the University of Tokyo Graduate School of Medicine devised and tested a new way to improve ANN defense.
“Neural networks typically comprise layers of virtual neurons. The first layers will often be responsible for analyzing inputs by identifying the elements that correspond to a certain input,” said Ohki. “An attacker might supply an image with artifacts that trick the network into misclassifying it. A typical defense for such an attack might be to deliberately introduce some noise into this first layer. This sounds counterintuitive that it might help, but by doing so, it allows for greater adaptations to a visual scene or other set of inputs. However, this method is not always so effective and we thought we could improve the matter by looking beyond the input layer to further inside the network.”
Ukita and Ohki aren’t just computer scientists. They have also studied the human brain, and this inspired them to use a phenomenon they knew about there in an ANN. This was to add noise not only to the input layer, but to deeper layers as well. This is typically avoided as it’s feared that it will impact the effectiveness of the network under normal conditions. But the duo found this not to be the case, and instead the noise promoted greater adaptability in their test ANN, which reduced its susceptibility to simulated adversarial attacks.
“Our first step was to devise a hypothetical method of attack that strikes deeper than the input layer. Such an attack would need to withstand the resilience of a network with a standard noise defense on its input layer. We call these feature-space adversarial examples,” said Ukita. “These attacks work by supplying an input intentionally far from, rather than near to, the input that an ANN can correctly classify. But the trick is to present subtly misleading artifacts to the deeper layers instead. Once we demonstrated the danger from such an attack, we injected random noise into the deeper hidden layers of the network to boost their adaptability and therefore defensive capability. We are happy to report it works.”
While the new idea does prove robust, the team wishes to develop it further to make it even more effective against anticipated attacks, as well as other kinds of attacks they have not yet tested it against. At present, the defense only works on this specific kind of attack.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
“Future attackers might try to consider attacks that can escape the feature-space noise we considered in this research,” said Ukita. “Indeed, attack and defense are two sides of the same coin; it’s an arms race that neither side will back down from, so we need to continually iterate, improve and innovate new ideas in order to protect the systems we use every day.”
Papers
Jumpei Ukita and Kenichi Ohki, "Adversarial attacks and defenses using feature-space stochasticity," Neural Networks: September 16, 2023, doi:10.1016/j.neunet.2023.08.022.
:quality(80)/p7i.vogel.de/wcms/aa/39/aa398d3e6667bdb43ad57abf38dc394c/0129347450v2.jpeg "An illustration shows a strand of engineered DNA passing through a nanoscale sensor, where its physical structure can be decoded as digital information. DNA nanostructures could one day serve as ultra-dense carriers of digital information and advance the field of data encryption. (Source: Jason Drees/ ASU)")
:quality(80)/p7i.vogel.de/wcms/06/a1/06a11f1d752afb35854aa9e1afb62e98/0129209625v2.jpeg "“Unsinkable\" metal tube made from chemically-etched aluminum floats in distilled water at the lab of University of Rochester professor Chunlei Guo. (Source: J. Adam Fenster / University of Rochester)")
:quality(80)/p7i.vogel.de/wcms/6d/df/6ddf023361ec7f8fbfb6c56521577960/0129056554v2.jpeg "The evolution of carburization (depicted by the spheres) under kinetic control (illustrated by the surface contours). The molecular beams represent gas evolution under synthesis conditions while the fiery sphere highlights the formation of the pure tungsten semi-carbide phase with additional molecular beams at the top to illustrate its catalytic performance. (Source: Sinhara M. H. D. Perera)")
:quality(80)/p7i.vogel.de/wcms/26/3d/263d97f8f2797267ecf2781b56882758/0129056451v1.jpeg "A study by the Complexity Science Hub finds that AI systems are already involved in nearly one-third of newly written software code, with rapid adoption in the United States and Europe and measurable productivity gains mainly for experienced developers. (Source: free licensed)")
:quality(80)/p7i.vogel.de/wcms/21/03/21030cc2541c455da0769decca8d1f82/0129146048v2.jpeg "Vyon porous plastics from Porvair Sciences are the perfect material for filtration applications in the healthcare and medical device market. (Source: Porvair Sciences)")
:quality(80)/p7i.vogel.de/wcms/bd/aa/bdaae5b9d381e2471ab37f479ad43d79/0129143884v2.jpeg "The Solvent Line Monitor from Testa Analytical is a true plug-and-play addition to any HPLC system designed to detect when one or more of its pump solvent reservoirs are empty and automatically shut-off the system. (Source: Testa Analytical)")
:quality(80)/p7i.vogel.de/wcms/8f/66/8f66b8acbb3037ca8e6b320bcad1c817/0129118043v2.jpeg "The Plasmaquant 9200 series is ideal for applications in research, trace analysis and quality control. (Source: Analytik Jena )")
:quality(80)/p7i.vogel.de/wcms/66/82/66825163ab842baded640db1a484e729/0129117548v2.jpeg "Biotech Fluidics has announced the Smartsaver solvent recycling unit which is designed to recover up to 90 % of your mobile phase by redirection of the pure solvent to the solvent reservoir during isocratic HPLC. (Source: Biotech Fluidics )")
:quality(80)/p7i.vogel.de/wcms/1a/4f/1a4fe7f8b5541716ba908251738beca1/0129349759v2.jpeg "Krict’s Syngas-to-Sustainable Aviation Fuel (SAF) Conversion Facility (Source: Korea Research Institute of Chemical Technology (Krict))")
:quality(80)/p7i.vogel.de/wcms/d4/29/d429a973c6f14ced3d2eb44931669a78/0129348927v1.jpeg "Cage-like ulva biochar confined synthesis of Fe₃O₄/ZnO heterojunction nanoparticles for synergistic adsorption and photocatalytic degradation of PFOA
(Source: Hua Jing et. al.)")
:quality(80)/p7i.vogel.de/wcms/86/90/8690b8154a552da13b37f289349b1db4/0129283446v2.jpeg "Lina Pérez-Ángel holds two sediment samples whose ages are separated by about a million years. (Source: Ellen Jorgensen)")
:quality(80)/p7i.vogel.de/wcms/90/f8/90f8c3152a59205a7cac1cc182eb186b/0129209634v2.jpeg "Nitrate in drinking water linked to increased dementia risk while nitrate from vegetables is linked to a lower risk, researchers find . (Source: free licensed)")
:quality(80)/p7i.vogel.de/wcms/84/2c/842c7c1678ceeec7147ea3a36e238e75/0129356324v2.jpeg "Kaust and Nadec have signed a MOU that establishes a framework for long-term cooperation across agricultural research, technology development, and professional training. (Source: Kaust )")
:quality(80)/p7i.vogel.de/wcms/d1/3c/d13c2ad34af600dbd360c0bb0990b922/0129045715v2.jpeg "Replacing animal products with plant-based foods helps reduce the risk of heart disease and type 2 diabetes, finds a new review by the Physicians Committee for Responsible Medicine. (Source: Pixabay)")
:quality(80)/p7i.vogel.de/wcms/e1/b3/e1b3e26d03101ba93b76b304da150c9a/0129025388v2.jpeg "The research reanalyzed data from a seminal clinical trial, led by US National Institutes of Health veteran Dr Kevin Hall, which first exposed how eating exclusively UPFs results in excessive calorie consumption and weight gain. (Source: Pixabay)")
:quality(80)/p7i.vogel.de/wcms/75/db/75db8afe45607bee750df705e22b60e9/0128938816v1.jpeg "A new academic review suggests that bamboo shoots could offer significant health benefits, including improved blood sugar control, gut health and antioxidant activity. (Source: free licensed)")
:quality(80)/p7i.vogel.de/wcms/14/24/14247b96901bfab6c75b7a3453ecfc6e/0129390600v2.jpeg "The US study, ‘Artificial-Intelligence-Enabled Digital Stethoscope Improves Point-of-Care Screening for Moderate to Severe Valvular Heart Disease’, was recently published on Thursday 5 February, 2026 in the European Heart Journal - Digital Health. (Source: Pixabay)")
:quality(80)/p7i.vogel.de/wcms/0d/9b/0d9bcd7e41846276db862456d619edd2/0129351002v2.jpeg "A Caltech-led team has developed a way of making bubble bots with simple protein shells that can be modified by enzymes or magnetic nanoparticles for efficient drug delivery. One version the researchers has made is \"smart\" enough to direct itself to direct itself to a tumor target. (Source: Gao Lab/ Caltech)")
:quality(80)/p7i.vogel.de/wcms/1a/ee/1aee2613e1a69c73ab568ee61d354ded/0129347044v1.jpeg "The Tonks lab studied PTP1B inhibition in a mouse model of Alzheimer’s disease. When PTP1B was deleted, as shown in the bottom row, the brain’s immune cells (green) were better at engulfing harmful amyloid-β plaques (grey), as shown in the left column. (Source: Nicholas Tonks/ CSHL)")
:quality(80)/p7i.vogel.de/wcms/fe/b7/feb7e0d151036b0c2be071e958dbce3b/0129341435v2.jpeg "As youth mental health challenges have risen alongside increased social media use, researchers and policymakers have questioned whether platforms contribute to emotional distress. (Source: Pixabay)")
:quality(80)/images.vogel.de/vogelonline/bdb/1710600/1710675/original.jpg "Discover how to set yourself up for success when performing balance-based density determination of solids such as jewelry and precious metals. (Mettler Toledo)")
:quality(80)/images.vogel.de/vogelonline/bdb/1682500/1682579/original.jpg "The new XPR Analytical balance redesigned to meet the needs of laboratory technicians of working fast and lean. (Mettler Toledo)")
:quality(80)/images.vogel.de/vogelonline/bdb/1677000/1677080/original.jpg "Enhance your weighing accuracy, comfort and productivity with the redesigned XPR Analytical balance. (Mettler Toledo)")
:fill(fff,0)/p7i.vogel.de/companies/5f/3f/5f3f63ceedc78/knf-logo.jpg "KNF_Logo.jpg (www.knf.com)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/24/54/2454931195d2004265ae0a10166dcef6/0124276559v2.jpeg "Neurons and their branch extensions known as dendrites are featured within a mouse’s cerebral cortex. (Source: Komiyama Lab/ UC San Diego)")
:quality(80)/p7i.vogel.de/wcms/cd/60/cd60bcc03db7c695dab35b521b8a7b06/0123355178v1.jpeg "Locust outbreak in East Africa (Source: Einat Couzin-Fuchs, Inga Petelski, Yannick Günzel, Felix B. Oberhauser)")