Can Attention Masks Improve Adversarial Robustness?

TL;DR

This paper investigates whether attention masks can enhance adversarial robustness in deep neural networks, showing promising results especially on complex datasets like MS-COCO by reducing background influence.

Contribution

It introduces the idea that attention masks, which eliminate background information, can improve adversarial robustness, especially on complex datasets, bridging previous conflicting findings.

Findings

Attention masks improve robustness on MS-COCO by over 20%.

Foreground attention masks reduce background influence in classification.

Initial results support the hypothesis that background elimination enhances robustness.

Abstract

Deep Neural Networks (DNNs) are known to be susceptible to adversarial examples. Adversarial examples are maliciously crafted inputs that are designed to fool a model, but appear normal to human beings. Recent work has shown that pixel discretization can be used to make classifiers for MNIST highly robust to adversarial examples. However, pixel discretization fails to provide significant protection on more complex datasets. In this paper, we take the first step towards reconciling these contrary findings. Focusing on the observation that discrete pixelization in MNIST makes the background completely black and foreground completely white, we hypothesize that the important property for increasing robustness is the elimination of image background using attention masks before classifying an object. To examine this hypothesis, we create foreground attention masks for two different datasets, GTSRB and MS-COCO. Our initial results suggest that using attention mask leads to improved robustness. On the adversarially trained classifiers, we see an adversarial robustness increase of over 20% on MS-COCO.