Defense Against Adversarial Attacks with Saak Transform

TL;DR

This paper introduces a Saak transform-based preprocessing method that enhances the robustness of deep neural networks against adversarial attacks by filtering high-frequency components, outperforming existing defenses on CIFAR-10 and ImageNet.

Contribution

The paper proposes a novel Saak transform-based preprocessing technique that effectively defends against adversarial attacks without degrading performance on clean images.

Findings

Outperforms state-of-the-art adversarial defense methods on CIFAR-10 and ImageNet.

Filtering high-frequency components via Saak transform enhances robustness against adversarial perturbations.

The method maintains accuracy on clean images while providing strong adversarial defense.

Abstract

Deep neural networks (DNNs) are known to be vulnerable to adversarial perturbations, which imposes a serious threat to DNN-based decision systems. In this paper, we propose to apply the lossy Saak transform to adversarially perturbed images as a preprocessing tool to defend against adversarial attacks. Saak transform is a recently-proposed state-of-the-art for computing the spatial-spectral representations of input images. Empirically, we observe that outputs of the Saak transform are very discriminative in differentiating adversarial examples from clean ones. Therefore, we propose a Saak transform based preprocessing method with three steps: 1) transforming an input image to a joint spatial-spectral representation via the forward Saak transform, 2) apply filtering to its high-frequency components, and, 3) reconstructing the image via the inverse Saak transform. The processed image is found to be robust against adversarial perturbations. We conduct extensive experiments to investigate various settings of the Saak transform and filtering functions. Without harming the decision performance on clean images, our method outperforms state-of-the-art adversarial defense methods by a substantial margin on both the CIFAR-10 and ImageNet datasets. Importantly, our results suggest that adversarial perturbations can be effectively and efficiently defended using state-of-the-art frequency analysis.