Towards Robust Image Classification Using Sequential Attention Models

TL;DR

This paper introduces a neural network with a human-inspired sequential attention mechanism that enhances adversarial robustness and reveals new types of adversarial examples with salient, recognizable structures.

Contribution

The paper presents a novel attention-augmented neural network that improves adversarial robustness and demonstrates a dynamic 'computational race' between attack and defense strategies.

Findings

Attention improves ImageNet accuracy under attacks

Varying attention steps enhances defense capabilities

Adversarial examples can contain recognizable, salient structures

Abstract

In this paper we propose to augment a modern neural-network architecture with an attention model inspired by human perception. Specifically, we adversarially train and analyze a neural model incorporating a human inspired, visual attention component that is guided by a recurrent top-down sequential process. Our experimental evaluation uncovers several notable findings about the robustness and behavior of this new model. First, introducing attention to the model significantly improves adversarial robustness resulting in state-of-the-art ImageNet accuracies under a wide range of random targeted attack strengths. Second, we show that by varying the number of attention steps (glances/fixations) for which the model is unrolled, we are able to make its defense capabilities stronger, even in light of stronger attacks --- resulting in a "computational race" between the attacker and the defender. Finally, we show that some of the adversarial examples generated by attacking our model are quite different from conventional adversarial examples --- they contain global, salient and spatially coherent structures coming from the target class that would be recognizable even to a human, and work by distracting the attention of the model away from the main object in the original image.