Feature Denoising for Improving Adversarial Robustness

TL;DR

This paper introduces feature denoising blocks in neural networks to enhance adversarial robustness, significantly improving accuracy against various attack methods on ImageNet, and achieving top results in a competitive challenge.

Contribution

The authors propose a novel feature denoising approach integrated into network architectures, trained end-to-end, to substantially boost adversarial robustness beyond existing methods.

Findings

Achieves 55.7% accuracy under 10-iteration PGD white-box attacks on ImageNet.

Secures 42.6% accuracy under 2000-iteration PGD attacks.

Ranked first in CAAD 2018 with 50.6% accuracy on a secret dataset.

Abstract

Adversarial attacks to image classification systems present challenges to convolutional networks and opportunities for understanding them. This study suggests that adversarial perturbations on images lead to noise in the features constructed by these networks. Motivated by this observation, we develop new network architectures that increase adversarial robustness by performing feature denoising. Specifically, our networks contain blocks that denoise the features using non-local means or other filters; the entire networks are trained end-to-end. When combined with adversarial training, our feature denoising networks substantially improve the state-of-the-art in adversarial robustness in both white-box and black-box attack settings. On ImageNet, under 10-iteration PGD white-box attacks where prior art has 27.9% accuracy, our method achieves 55.7%; even under extreme 2000-iteration PGD white-box attacks, our method secures 42.6% accuracy. Our method was ranked first in Competition on Adversarial Attacks and Defenses (CAAD) 2018 --- it achieved 50.6% classification accuracy on a secret, ImageNet-like test dataset against 48 unknown attackers, surpassing the runner-up approach by ~10%. Code is available at https://github.com/facebookresearch/ImageNet-Adversarial-Training.