Defending Adversarial Examples via DNN Bottleneck Reinforcement

TL;DR

This paper introduces a novel DNN bottleneck reinforcement method that enhances robustness against adversarial attacks by reinforcing the information bottleneck through joint auto-encoder training and frequency steering, without altering the classifier structure.

Contribution

It proposes a new defense mechanism that maintains the classifier structure intact and uses frequency-based reinforcement to improve adversarial robustness.

Findings

Effective against various adversarial attacks on MNIST, CIFAR-10, and ImageNet.

No need for pre-processing head or classifier modification.

Outperforms existing defense methods in experiments.

Abstract

This paper presents a DNN bottleneck reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. Typical DNN classifiers encode the input image into a compressed latent representation more suitable for inference. This information bottleneck makes a trade-off between the image-specific structure and class-specific information in an image. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. Hence, this paper proposes to jointly train an auto-encoder (AE) sharing the same encoding weights with the visual classifier. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network. Unlike existing approaches, our scheme is the first reforming defense per se which keeps the classifier structure untouched without appending any pre-processing head and is trained with clean images only. Extensive experiments on MNIST, CIFAR-10 and ImageNet demonstrate the strong defense of our method against various adversarial attacks.