From a Fourier-Domain Perspective on Adversarial Examples to a Wiener Filter Defense for Semantic Segmentation

TL;DR

This paper analyzes adversarial perturbations in the frequency domain for semantic segmentation, revealing model-dependent frequency patterns and proposing a Wiener filter-based defense that outperforms existing methods.

Contribution

It introduces a frequency domain analysis of adversarial examples and a novel Wiener filter defense that generalizes across attacks and models.

Findings

Strong link between model architecture and adversarial frequency patterns

Frequency patterns are largely attack- and image-independent

Proposed Wiener filter defense outperforms five state-of-the-art methods

Abstract

Despite recent advancements, deep neural networks are not robust against adversarial perturbations. Many of the proposed adversarial defense approaches use computationally expensive training mechanisms that do not scale to complex real-world tasks such as semantic segmentation, and offer only marginal improvements. In addition, fundamental questions on the nature of adversarial perturbations and their relation to the network architecture are largely understudied. In this work, we study the adversarial problem from a frequency domain perspective. More specifically, we analyze discrete Fourier transform (DFT) spectra of several adversarial images and report two major findings: First, there exists a strong connection between a model architecture and the nature of adversarial perturbations that can be observed and addressed in the frequency domain. Second, the observed frequency patterns are largely image- and attack-type independent, which is important for the practical impact of any defense making use of such patterns. Motivated by these findings, we additionally propose an adversarial defense method based on the well-known Wiener filters that captures and suppresses adversarial frequencies in a data-driven manner. Our proposed method not only generalizes across unseen attacks but also beats five existing state-of-the-art methods across two models in a variety of attack settings.