Countering Adversarial Examples: Combining Input Transformation and Noisy Training

TL;DR

This paper proposes a novel defense method against adversarial examples in image classification by combining a modified JPEG compression technique with noisy training and model ensemble, improving robustness without sacrificing accuracy.

Contribution

It introduces a NN-favored JPEG quantization table and an ensemble approach with multiple compressed models for effective adversarial defense.

Findings

Enhanced robustness against adversarial attacks.

Maintained high classification accuracy on benign images.

Effective ensemble strategy improves defense performance.

Abstract

Recent studies have shown that neural network (NN) based image classifiers are highly vulnerable to adversarial examples, which poses a threat to security-sensitive image recognition task. Prior work has shown that JPEG compression can combat the drop in classification accuracy on adversarial examples to some extent. But, as the compression ratio increases, traditional JPEG compression is insufficient to defend those attacks but can cause an abrupt accuracy decline to the benign images. In this paper, with the aim of fully filtering the adversarial perturbations, we firstly make modifications to traditional JPEG compression algorithm which becomes more favorable for NN. Specifically, based on an analysis of the frequency coefficient, we design a NN-favored quantization table for compression. Considering compression as a data augmentation strategy, we then combine our model-agnostic preprocess with noisy training. We fine-tune the pre-trained model by training with images encoded at different compression levels, thus generating multiple classifiers. Finally, since lower (higher) compression ratio can remove both perturbations and original features slightly (aggressively), we use these trained multiple models for model ensemble. The majority vote of the ensemble of models is adopted as final predictions. Experiments results show our method can improve defense efficiency while maintaining original accuracy.