Feature Denoising for Improving Adversarial Robustness

by   Cihang Xie, et al.

Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9 method achieves 55.7 our method secures 42.6 first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 --- it achieved 50.6 against 48 unknown attackers, surpassing the runner-up approach by 10 and models will be made publicly available.


page 1

page 2

page 3

page 4

page 5

page 6

page 7

page 8


ColorFool: Semantic Adversarial Colorization

Adversarial attacks that generate small L_p-norm perturbations to mislea...

Divide, Denoise, and Defend against Adversarial Attacks

Deep neural networks, although shown to be a successful class of machine...

Robustness Of Saak Transform Against Adversarial Attacks

Image classification is vulnerable to adversarial attacks. This work inv...

Architectural Resilience to Foreground-and-Background Adversarial Noise

Adversarial attacks in the form of imperceptible perturbations of normal...

Local Competition and Uncertainty for Adversarial Robustness in Deep Learning

This work attempts to address adversarial robustness of deep networks by...

Identifying Layers Susceptible to Adversarial Attacks

Common neural network architectures are susceptible to attack by adversa...

Improving Adversarial Robustness by Data-Specific Discretization

A recent line of research proposed (either implicitly or explicitly) gra...

Please sign up or login with your details

Forgot password? Click here to reset