One Man's Trash is Another Man's Treasure: Resisting Adversarial Examples by Adversarial Examples

TL;DR

This paper proposes a novel defense against adversarial examples in image classification by transforming inputs into adversarial examples on external models, significantly improving robustness and reducing training costs.

Contribution

It introduces a new defense method that leverages adversarial example generation on external models to enhance robustness against attacks.

Findings

Outperforms state-of-the-art defenses on CIFAR-10 and Tiny ImageNet.

Offers lower training cost compared to adversarial training.

Provides stronger robustness against various attack methods.

Abstract

Modern image classification systems are often built on deep neural networks, which suffer from adversarial examples--images with deliberately crafted, imperceptible noise to mislead the network's classification. To defend against adversarial examples, a plausible idea is to obfuscate the network's gradient with respect to the input image. This general idea has inspired a long line of defense methods. Yet, almost all of them have proven vulnerable. We revisit this seemingly flawed idea from a radically different perspective. We embrace the omnipresence of adversarial examples and the numerical procedure of crafting them, and turn this harmful attacking process into a useful defense mechanism. Our defense method is conceptually simple: before feeding an input image for classification, transform it by finding an adversarial example on a pre-trained external model. We evaluate our method against a wide range of possible attacks. On both CIFAR-10 and Tiny ImageNet datasets, our method is significantly more robust than state-of-the-art methods. Particularly, in comparison to adversarial training, our method offers lower training cost as well as stronger robustness.