Shape Defense Against Adversarial Attacks

TL;DR

This paper introduces two algorithms that incorporate shape information, specifically edges, into CNNs to enhance their robustness against adversarial attacks and natural image corruptions, demonstrating significant improvements across multiple datasets.

Contribution

The paper proposes novel edge-based algorithms for CNN robustness, including adversarial training with edge channels and GAN-based edge-to-image translation, improving resistance to attacks and corruptions.

Findings

Enhanced robustness against FGSM and PGD-40 attacks.

Edge information improves resilience to natural image corruptions.

CNNs trained on edge-augmented inputs outperform RGB-only models.

Abstract

Humans rely heavily on shape information to recognize objects. Conversely, convolutional neural networks (CNNs) are biased more towards texture. This is perhaps the main reason why CNNs are vulnerable to adversarial examples. Here, we explore how shape bias can be incorporated into CNNs to improve their robustness. Two algorithms are proposed, based on the observation that edges are invariant to moderate imperceptible perturbations. In the first one, a classifier is adversarially trained on images with the edge map as an additional channel. At inference time, the edge map is recomputed and concatenated to the image. In the second algorithm, a conditional GAN is trained to translate the edge maps, from clean and/or perturbed images, into clean images. Inference is done over the generated image corresponding to the input's edge map. Extensive experiments over 10 datasets demonstrate the effectiveness of the proposed algorithms against FGSM and $\ell_\infty$ PGD-40 attacks. Further, we show that a) edge information can also benefit other adversarial training methods, and b) CNNs trained on edge-augmented inputs are more robust against natural image corruptions such as motion blur, impulse noise and JPEG compression, than CNNs trained solely on RGB images. From a broader perspective, our study suggests that CNNs do not adequately account for image structures that are crucial for robustness. Code is available at:~\url{https://github.com/aliborji/Shapedefense.git}.