An effective deep learning adversarial defense method based on spatial structural constraints in embedding space

Abstract

Deep neural networks are highly vulnerable to adversarial samples. Most existing adversarial defense methods do not consider the distribution of adversarial samples. We argue that very few adversarial samples in the natural sample set prevent the deep neural networks from learning a complete and effective representation of the adversarial samples. This causes the spatial structures between the natural and the adversarial samples to be vastly different from that of the input space, thus making the models vulnerable to adversarial attacks. Based on this viewpoint, this paper proposes an effective deep-learning adversarial defense method, which incorporates information about the spatial structures of the natural and the adversarial samples in the embedding space during the training process. This proposed approach improves the deep learning model’s generalization to new adversarial samples and achieves the purpose of defending against adversarial attacks. Four deep neural networks with different scales are used and experimentally verified on four typical publicly available image data. The experimental results show that our method effectively improves the defense ability of deep learning models against adversarial attacks.