Error Diffusion Halftoning Against Adversarial Examples

TL;DR

This paper introduces a novel image transformation defense using error diffusion halftoning combined with adversarial training, effectively improving DNN robustness against adaptive adversarial attacks while preserving image quality.

Contribution

The paper proposes a new error diffusion halftoning method as an image transformation defense, demonstrating its effectiveness against advanced adaptive adversarial attacks.

Findings

Improves adversarial robustness under adaptive attacks

Maintains acceptable image quality after transformation

Outperforms other image transformation defenses

Abstract

Adversarial examples contain carefully crafted perturbations that can fool deep neural networks (DNNs) into making wrong predictions. Enhancing the adversarial robustness of DNNs has gained considerable interest in recent years. Although image transformation-based defenses were widely considered at an earlier time, most of them have been defeated by adaptive attacks. In this paper, we propose a new image transformation defense based on error diffusion halftoning, and combine it with adversarial training to defend against adversarial examples. Error diffusion halftoning projects an image into a 1-bit space and diffuses quantization error to neighboring pixels. This process can remove adversarial perturbations from a given image while maintaining acceptable image quality in the meantime in favor of recognition. Experimental results demonstrate that the proposed method is able to improve adversarial robustness even under advanced adaptive attacks, while most of the other image transformation-based defenses do not. We show that a proper image transformation can still be an effective defense approach. Code: https://github.com/shaoyuanlo/Halftoning-Defense