Towards Adversarially Robust Deep Image Denoising

TL;DR

This paper explores the vulnerability of deep image denoisers to adversarial noise, introduces a new attack method, and proposes a robust training strategy that enhances denoising performance against both synthetic and real-world noise.

Contribution

It introduces a novel adversarial attack ({ t ObsAtk}) and a hybrid adversarial training ({ t HAT}) method to improve the robustness of deep image denoisers against adversarial and real-world noise.

Findings

DIDs are vulnerable to { t ObsAtk} adversarial noise.

{ t HAT} significantly improves robustness of DIDs.

{ t HAT}-trained DIDs generalize well to real-world noise.

Abstract

This work systematically investigates the adversarial robustness of deep image denoisers (DIDs), i.e, how well DIDs can recover the ground truth from noisy observations degraded by adversarial perturbations. Firstly, to evaluate DIDs' robustness, we propose a novel adversarial attack, namely Observation-based Zero-mean Attack ({\sc ObsAtk}), to craft adversarial zero-mean perturbations on given noisy images. We find that existing DIDs are vulnerable to the adversarial noise generated by {\sc ObsAtk}. Secondly, to robustify DIDs, we propose an adversarial training strategy, hybrid adversarial training ({\sc HAT}), that jointly trains DIDs with adversarial and non-adversarial noisy data to ensure that the reconstruction quality is high and the denoisers around non-adversarial data are locally smooth. The resultant DIDs can effectively remove various types of synthetic and adversarial noise. We also uncover that the robustness of DIDs benefits their generalization capability on unseen real-world noise. Indeed, {\sc HAT}-trained DIDs can recover high-quality clean images from real-world noise even without training on real noisy data. Extensive experiments on benchmark datasets, including Set68, PolyU, and SIDD, corroborate the effectiveness of {\sc ObsAtk} and {\sc HAT}.