Adversarial Defense based on Structure-to-Signal Autoencoders

TL;DR

This paper introduces S2SNets, autoencoders trained to filter out class-specific signals from inputs, providing a novel defense mechanism against adversarial attacks on deep neural networks, with evaluations on ImageNet.

Contribution

The paper proposes a new adversarial defense method using structure-to-signal autoencoders trained in a two-stage process, enhancing robustness against various attack scenarios.

Findings

S2SNets effectively reduce class-dependent signals in inputs.

The approach achieves comparable robustness to state-of-the-art defenses in white-box scenarios.

Analysis reveals differences in adversarial vulnerability and transferability among popular CNN architectures.

Abstract

Adversarial attack methods have demonstrated the fragility of deep neural networks. Their imperceptible perturbations are frequently able fool classifiers into potentially dangerous misclassifications. We propose a novel way to interpret adversarial perturbations in terms of the effective input signal that classifiers actually use. Based on this, we apply specially trained autoencoders, referred to as S2SNets, as defense mechanism. They follow a two-stage training scheme: first unsupervised, followed by a fine-tuning of the decoder, using gradients from an existing classifier. S2SNets induce a shift in the distribution of gradients propagated through them, stripping them from class-dependent signal. We analyze their robustness against several white-box and gray-box scenarios on the large ImageNet dataset. Our approach reaches comparable resilience in white-box attack scenarios as other state-of-the-art defenses in gray-box scenarios. We further analyze the relationships of AlexNet, VGG 16, ResNet 50 and Inception v3 in adversarial space, and found that VGG 16 is the easiest to fool, while perturbations from ResNet 50 are the most transferable.