Delving into Deep Image Prior for Adversarial Defense: A Novel Reconstruction-based Defense Framework

TL;DR

This paper introduces a novel reconstruction-based defense framework using deep image prior that detects and purifies adversarial noise by analyzing the model decision process, improving robustness without training.

Contribution

It uniquely incorporates model decision analysis into DIP-based defense, enabling attack-agnostic, training-free adversarial noise purification with high visual quality.

Findings

Outperforms existing reconstruction-based defenses against white-box attacks

Effective against defense-aware attacks

Maintains high visual quality during reconstruction

Abstract

Deep learning based image classification models are shown vulnerable to adversarial attacks by injecting deliberately crafted noises to clean images. To defend against adversarial attacks in a training-free and attack-agnostic manner, this work proposes a novel and effective reconstruction-based defense framework by delving into deep image prior (DIP). Fundamentally different from existing reconstruction-based defenses, the proposed method analyzes and explicitly incorporates the model decision process into our defense. Given an adversarial image, firstly we map its reconstructed images during DIP optimization to the model decision space, where cross-boundary images can be detected and on-boundary images can be further localized. Then, adversarial noise is purified by perturbing on-boundary images along the reverse direction to the adversarial image. Finally, on-manifold images are stitched to construct an image that can be correctly predicted by the victim classifier. Extensive experiments demonstrate that the proposed method outperforms existing state-of-the-art reconstruction-based methods both in defending white-box attacks and defense-aware attacks. Moreover, the proposed method can maintain a high visual quality during adversarial image reconstruction.