Encryption Inspired Adversarial Defense for Visual Classification

TL;DR

This paper introduces a novel adversarial defense method inspired by perceptual image encryption, using block-wise pixel shuffling with a secret key, which maintains high accuracy on both clean and adversarial images.

Contribution

The proposed method is a new defense technique based on perceptual encryption principles that effectively counters white-box attacks while preserving accuracy.

Findings

Achieves 91.55% accuracy on clean images

Maintains 89.66% accuracy under adversarial attacks with noise distance 8/255

Outperforms existing state-of-the-art defenses

Abstract

Conventional adversarial defenses reduce classification accuracy whether or not a model is under attacks. Moreover, most of image processing based defenses are defeated due to the problem of obfuscated gradients. In this paper, we propose a new adversarial defense which is a defensive transform for both training and test images inspired by perceptual image encryption methods. The proposed method utilizes a block-wise pixel shuffling method with a secret key. The experiments are carried out on both adaptive and non-adaptive maximum-norm bounded white-box attacks while considering obfuscated gradients. The results show that the proposed defense achieves high accuracy (91.55 %) on clean images and (89.66 %) on adversarial examples with noise distance of 8/255 on CIFAR-10 dataset. Thus, the proposed defense outperforms state-of-the-art adversarial defenses including latent adversarial training, adversarial training and thermometer encoding.