Abstract
Image classification systems are known to be vulnerable to adversarial attacks, which are imperceptibly perturbed but lead to spectacularly disgraceful classification. Adversarial training is one of the most effective defenses for improving the robustness of classifiers. We introduce an enhanced adversarial training approach in this work. Motivated by human's consistently accurate perception of surroundings, we explore the artificial attention of deep neural networks in the context of adversarial classification. We begin with an empirical analysis of how the attention of artificial systems will change as the model undergoes adversarial attacks. Observation is that the class-specific attention gets diverted and subsequently induces wrong prediction. To that end, we propose a regularizer encouraging the consistency in the artificial attention on the clean image and its adversarial counterpart. Our method shows improved empirical robustness over the state-of-the-art, secures 55.74% adversarial accuracy on CIFAR-10 with perturbation budget of 8/255 under the challenging untargeted attack in white-box settings. Further evaluations on CIFAR-100 also show our potential for a desirable boost in adversarial robustness for deep neural networks. Code and trained models of our work are available at: https://github.com/lizhuorong/Towards-Adversarial-Robustness-via-Feature-matching.
Highlights
Whereas deep neural networks perform a variety of computer vision tasks with superior accuracies, their performance spectacularly degrades under ubiquitous threat of the adversarial attacks [1]
EXPERIMENTS SETTINGS Following common protocols [18] for evaluating the adversarial training models, we consider the untargeted attacks, since a defense robust to untargeted adversarial attacks is stronger than the one only robust to targeted attacks [24]
We perform extensive experiments on two benchmark datasets, CIFAR-10 and CIFAR-100 [33]. The former is widely used in adversarial training literature [18], [22], [34], [35] and the latter is more challenging as the number of training images per class is only one-tenth of that in CIFAR-10
Summary
Whereas deep neural networks perform a variety of computer vision tasks with superior accuracies, their performance spectacularly degrades under ubiquitous threat of the adversarial attacks [1]. Serious concerns are raised when the deep neural networks are applied to real-world applications, especially on reliability and security systems [5]–[8]. This problem has garnered enormous attention and encourages high activity on defense. Given an example x ∈ Rd and the corresponding label y ∈ [k] that drawn from an underlying data distribution D, as well as the predefined loss function L, e.g., the widely used cross-entropy loss in image classification task. Though models that trained by ERM work well on the holdout test data, they degrade spectacularly under the adversarial attacks due to the induced distribution shift [2], [9].
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
