Defending from adversarial examples with a two-stream architecture

TL;DR

This paper introduces a two-stream neural network architecture that enhances robustness against adversarial examples by leveraging high- and low-resolution feature extraction, providing a promising defense mechanism.

Contribution

The paper proposes a novel two-stream architecture inspired by security systems to defend CNNs from adversarial attacks, demonstrating improved robustness.

Findings

The two-stream model effectively defends against various attack methods.

Experimental results show increased robustness compared to single-stream models.

The approach is difficult to defeat with current state-of-the-art attacks.

Abstract

In recent years, deep learning has shown impressive performance on many tasks. However, recent researches showed that deep learning systems are vulnerable to small, specially crafted perturbations that are imperceptible to humans. Images with such perturbations are the so called adversarial examples, which have proven to be an indisputable threat to the DNN based applications. The lack of better understanding of the DNNs has prevented the development of efficient defenses against adversarial examples. In this paper, we propose a two-stream architecture to protect CNN from attacking by adversarial examples. Our model draws on the idea of "two-stream" which commonly used in the security field, and successfully defends different kinds of attack methods by the differences of "high-resolution" and "low-resolution" networks in feature extraction. We provide a reasonable interpretation on why our two-stream architecture is difficult to defeat, and show experimentally that our method is hard to defeat with state-of-the-art attacks. We demonstrate that our two-stream architecture is robust to adversarial examples built by currently known attacking algorithms.