Improving Resistance to Adversarial Deformations by Regularizing Gradients

TL;DR

This paper introduces flow gradient regularization to enhance neural network robustness against adversarial deformations, outperforming traditional input gradient methods and adversarial training across various datasets and attack types.

Contribution

The paper proposes a novel flow gradient regularization technique that provides a tighter theoretical bound and improves resistance to location-based adversarial deformations.

Findings

Flow gradient regularization outperforms input gradient regularization.

Models trained with flow gradients resist unseen attacks better.

Combining flow gradient regularization with adversarial training yields further robustness.

Abstract

Improving the resistance of deep neural networks against adversarial attacks is important for deploying models to realistic applications. However, most defense methods are designed to defend against intensity perturbations and ignore location perturbations, which should be equally important for deep model security. In this paper, we focus on adversarial deformations, a typical class of location perturbations, and propose a flow gradient regularization to improve the resistance of models. Theoretically, we prove that, compared with input gradient regularization, regularizing flow gradients is able to get a tighter bound. Over multiple datasets, architectures, and adversarial deformations, our empirical results indicate that models trained with flow gradients can acquire a better resistance than trained with input gradients with a large margin, and also better than adversarial training. Moreover, compared with directly training with adversarial deformations, our method can achieve better results in unseen attacks, and combining these two methods can improve the resistance further.