Enhanced countering adversarial attacks via input denoising and feature restoring

TL;DR

This paper introduces IDFR, a novel defense method combining input denoising and feature restoring to significantly improve neural network robustness against adversarial attacks, outperforming existing defenses on benchmark datasets.

Contribution

The paper proposes a new adversarial defense approach, IDFR, integrating input denoising and feature restoration based on convex hull optimization, which enhances robustness against various attacks.

Findings

IDFR outperforms state-of-the-art defenses in experiments.

Effective against both black-box and white-box attacks.

Code is publicly available for reproducibility.

Abstract

Despite the fact that deep neural networks (DNNs) have achieved prominent performance in various applications, it is well known that DNNs are vulnerable to adversarial examples/samples (AEs) with imperceptible perturbations in clean/original samples. To overcome the weakness of the existing defense methods against adversarial attacks, which damages the information on the original samples, leading to the decrease of the target classifier accuracy, this paper presents an enhanced countering adversarial attack method IDFR (via Input Denoising and Feature Restoring). The proposed IDFR is made up of an enhanced input denoiser (ID) and a hidden lossy feature restorer (FR) based on the convex hull optimization. Extensive experiments conducted on benchmark datasets show that the proposed IDFR outperforms the various state-of-the-art defense methods, and is highly effective for protecting target models against various adversarial black-box or white-box attacks. \footnote{Souce code is released at: \href{https://github.com/ID-FR/IDFR}{https://github.com/ID-FR/IDFR}}