Foveation-based Mechanisms Alleviate Adversarial Examples

TL;DR

This paper demonstrates that applying foveation mechanisms to CNNs can significantly reduce the impact of adversarial examples by leveraging local linearity in neural responses, improving robustness without retraining.

Contribution

It introduces a foveation-based approach to mitigate adversarial perturbations and revises the understanding of CNNs' local linearity in the context of adversarial robustness.

Findings

Foveation reduces adversarial perturbation effects in CNNs.

CNNs act locally linearly in object regions, non-linearly elsewhere.

Foveation maintains accuracy against adversarial examples nearly as well as unperturbed images.

Abstract

We show that adversarial examples, i.e., the visually imperceptible perturbations that result in Convolutional Neural Networks (CNNs) fail, can be alleviated with a mechanism based on foveations---applying the CNN in different image regions. To see this, first, we report results in ImageNet that lead to a revision of the hypothesis that adversarial perturbations are a consequence of CNNs acting as a linear classifier: CNNs act locally linearly to changes in the image regions with objects recognized by the CNN, and in other regions the CNN may act non-linearly. Then, we corroborate that when the neural responses are linear, applying the foveation mechanism to the adversarial example tends to significantly reduce the effect of the perturbation. This is because, hypothetically, the CNNs for ImageNet are robust to changes of scale and translation of the object produced by the foveation, but this property does not generalize to transformations of the perturbation. As a result, the accuracy after a foveation is almost the same as the accuracy of the CNN without the adversarial perturbation, even if the adversarial perturbation is calculated taking into account a foveation.