Abstract
Recent works have shown the effectiveness of randomized smoothing in adversarial defense. This paper presents a new understanding of randomized smoothing. Features that are vulnerable to noise are not conducive to the prediction of model under adversarial perturbations. An enhanced defense called Attention-based Randomized Smoothing (ARS) is proposed. Based on smoothed classifier, ARS designs a mixed attention module, which helps model merge smoothed feature with original feature and pay more attention to robust feature. The advantages of ARS are manifested in four ways: 1) Superior performance on both clean and adversarial samples. 2) Without pre-processing in inference. 3) Explicable attention map. 4) Compatible with other defense methods. Experiment results demonstrate that ARS achieves the state-of-the-art defense against adversarial attacks on MNIST and CIFAR-10 datasets, outperforming Salman’s defense when the attacks are limited to a maximum norm.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
