Defending against Adversarial Images using Basis Functions Transformations

TL;DR

This paper evaluates various basis function-based image transformations as defenses against adversarial attacks on deep neural networks, finding JPEG compression most effective and introducing a new white-box attack method based on basis functions.

Contribution

The paper systematically compares basis function transformations for adversarial defense and introduces a novel white-box attack leveraging basis function subsets.

Findings

JPEG compression outperforms other defenses in most settings

Soft-thresholding performs well in specific cases with mild accuracy loss

A new white-box attack using basis function subsets is proposed

Abstract

We study the effectiveness of various approaches that defend against adversarial attacks on deep networks via manipulations based on basis function representations of images. Specifically, we experiment with low-pass filtering, PCA, JPEG compression, low resolution wavelet approximation, and soft-thresholding. We evaluate these defense techniques using three types of popular attacks in black, gray and white-box settings. Our results show JPEG compression tends to outperform the other tested defenses in most of the settings considered, in addition to soft-thresholding, which performs well in specific cases, and yields a more mild decrease in accuracy on benign examples. In addition, we also mathematically derive a novel white-box attack in which the adversarial perturbation is composed only of terms corresponding a to pre-determined subset of the basis functions, of which a "low frequency attack" is a special case.