Ensemble Generative Cleaning with Feedback Loops for Defending Adversarial Attacks

TL;DR

This paper introduces EGC-FL, a novel defense method combining a transformed deadzone layer and a feedback loop generative network to effectively protect neural networks from adversarial attacks, significantly improving accuracy.

Contribution

The paper proposes a new ensemble generative cleaning method with feedback loops and a transformed deadzone layer for robust adversarial defense, outperforming existing techniques.

Findings

Improves white-box PGD attack accuracy by over 29% on SVHN.

Enhances defense against black-box attacks with large margins.

Significantly outperforms prior methods in experimental evaluations.

Abstract

Effective defense of deep neural networks against adversarial attacks remains a challenging problem, especially under powerful white-box attacks. In this paper, we develop a new method called ensemble generative cleaning with feedback loops (EGC-FL) for effective defense of deep neural networks. The proposed EGC-FL method is based on two central ideas. First, we introduce a transformed deadzone layer into the defense network, which consists of an orthonormal transform and a deadzone-based activation function, to destroy the sophisticated noise pattern of adversarial attacks. Second, by constructing a generative cleaning network with a feedback loop, we are able to generate an ensemble of diverse estimations of the original clean image. We then learn a network to fuse this set of diverse estimations together to restore the original image. Our extensive experimental results demonstrate that our approach improves the state-of-art by large margins in both white-box and black-box attacks. It significantly improves the classification accuracy for white-box PGD attacks upon the second best method by more than 29% on the SVHN dataset and more than 39% on the challenging CIFAR-10 dataset.