Unifying Bilateral Filtering and Adversarial Training for Robust Neural Networks

TL;DR

This paper introduces a novel defense mechanism for neural networks using bilateral filtering, which effectively reduces adversarial examples and enhances robustness against various attack strategies, especially when combined with adversarial training.

Contribution

The work unifies bilateral filtering with adversarial training to significantly improve neural network robustness against adversarial attacks.

Findings

Bilateral filtering removes over 90% of adversarial examples without knowledge of the defense.

Adapting bilateral filtering as a trainable layer enhances robustness on ImageNet.

Adversarial training with the filter makes models resistant to strong attack methods.

Abstract

Recent analysis of deep neural networks has revealed their vulnerability to carefully structured adversarial examples. Many effective algorithms exist to craft these adversarial examples, but performant defenses seem to be far away. In this work, we explore the use of edge-aware bilateral filtering as a projection back to the space of natural images. We show that bilateral filtering is an effective defense in multiple attack settings, where the strength of the adversary gradually increases. In the case of an adversary who has no knowledge of the defense, bilateral filtering can remove more than 90% of adversarial examples from a variety of different attacks. To evaluate against an adversary with complete knowledge of our defense, we adapt the bilateral filter as a trainable layer in a neural network and show that adding this layer makes ImageNet images significantly more robust to attacks. When trained under a framework of adversarial training, we show that the resulting model is hard to fool with even the best attack methods.