Enhancing Adversarial Defense by k-Winners-Take-All

TL;DR

This paper introduces k-Winners-Take-All activation functions to neural networks, which improve robustness against gradient-based adversarial attacks by intentionally invalidating gradients at certain input points, with minimal training overhead.

Contribution

The paper presents a novel activation function, k-WTA, that enhances adversarial robustness by disrupting gradient-based attacks while maintaining training efficiency.

Findings

k-WTA activation increases adversarial robustness across various network architectures.

Discontinuities in k-WTA prevent effective gradient-based adversarial search.

k-WTA networks outperform traditional networks under white-box attacks.

Abstract

We propose a simple change to existing neural network structures for better defending against gradient-based adversarial attacks. Instead of using popular activation functions (such as ReLU), we advocate the use of k-Winners-Take-All (k-WTA) activation, a C0 discontinuous function that purposely invalidates the neural network model's gradient at densely distributed input data points. The proposed k-WTA activation can be readily used in nearly all existing networks and training methods with no significant overhead. Our proposal is theoretically rationalized. We analyze why the discontinuities in k-WTA networks can largely prevent gradient-based search of adversarial examples and why they at the same time remain innocuous to the network training. This understanding is also empirically backed. We test k-WTA activation on various network structures optimized by a training method, be it adversarial training or not. In all cases, the robustness of k-WTA networks outperforms that of traditional networks under white-box attacks.