Deep Defense: Training DNNs with Improved Adversarial Robustness

TL;DR

Deep Defense introduces a novel training method that enhances the adversarial robustness of deep neural networks by integrating an adversarial perturbation-based regularizer into the training process, significantly improving resistance to attacks.

Contribution

The paper proposes 'deep defense', a new training approach that effectively increases DNN robustness against adversarial attacks by incorporating a regularizer based on adversarial perturbations.

Findings

Outperforms previous regularization methods on multiple datasets

Achieves higher robustness across various DNN architectures

Demonstrates effectiveness on MNIST, CIFAR-10, and ImageNet

Abstract

Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN classifiers into making arbitrary predictions. To address this problem, we propose a training recipe named "deep defense". Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms training with adversarial/Parseval regularizations by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results are available at https://github.com/ZiangYan/deepdefense.pytorch