Removing Adversarial Noise in Class Activation Feature Space

TL;DR

This paper introduces a novel self-supervised adversarial training method in class activation feature space to effectively remove adversarial noise, improving robustness against various attacks.

Contribution

It proposes a new training mechanism that enhances adversarial robustness by denoising in class activation feature space, addressing error amplification issues.

Findings

Significantly improves robustness against unseen attacks

Effective against adaptive adversarial attacks

Outperforms previous state-of-the-art methods

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial noise. Preprocessing based defenses could largely remove adversarial noise by processing inputs. However, they are typically affected by the error amplification effect, especially in the front of continuously evolving attacks. To solve this problem, in this paper, we propose to remove adversarial noise by implementing a self-supervised adversarial training mechanism in a class activation feature space. To be specific, we first maximize the disruptions to class activation features of natural examples to craft adversarial examples. Then, we train a denoising model to minimize the distances between the adversarial examples and the natural examples in the class activation feature space. Empirical evaluations demonstrate that our method could significantly enhance adversarial robustness in comparison to previous state-of-the-art approaches, especially against unseen adversarial attacks and adaptive attacks.