Structure-Preserving Progressive Low-rank Image Completion for Defending Adversarial Attacks

TL;DR

This paper introduces a novel structure-preserving low-rank image completion method that enhances neural network robustness against adversarial attacks by emphasizing global structures over local textures.

Contribution

The proposed SPLIC method uniquely combines progressive low-rank matrix completion with structure preservation to defend neural networks from adversarial noise.

Findings

Outperforms existing defenses by up to 12.6% in robustness.

Effectively removes local textures while preserving global structures.

Improves neural network resilience against various attack types.

Abstract

Deep neural networks recognize objects by analyzing local image details and summarizing their information along the inference layers to derive the final decision. Because of this, they are prone to adversarial attacks. Small sophisticated noise in the input images can accumulate along the network inference path and produce wrong decisions at the network output. On the other hand, human eyes recognize objects based on their global structure and semantic cues, instead of local image textures. Because of this, human eyes can still clearly recognize objects from images which have been heavily damaged by adversarial attacks. This leads to a very interesting approach for defending deep neural networks against adversarial attacks. In this work, we propose to develop a structure-preserving progressive low-rank image completion (SPLIC) method to remove unneeded texture details from the input images and shift the bias of deep neural networks towards global object structures and semantic cues. We formulate the problem into a low-rank matrix completion problem with progressively smoothed rank functions to avoid local minimums during the optimization process. Our experimental results demonstrate that the proposed method is able to successfully remove the insignificant local image details while preserving important global object structures. On black-box, gray-box, and white-box attacks, our method outperforms existing defense methods (by up to 12.6%) and significantly improves the adversarial robustness of the network.