Adversarial amplitude swap towards robust image classifiers

TL;DR

This paper explores how combining amplitude and phase spectra of images affects CNN robustness, showing that spectrum recombination enhances general robustness against corruptions and adversarial attacks.

Contribution

It introduces a spectrum recombination method that improves CNN robustness and mitigates overfitting, advancing understanding of frequency-based defenses.

Findings

Spectrum recombination improves robustness to corruptions and adversarial attacks.

Training with amplitude-phase combined images reduces overfitting.

The method enhances generalization of CNN classifiers.

Abstract

The vulnerability of convolutional neural networks (CNNs) to image perturbations such as common corruptions and adversarial perturbations has recently been investigated from the perspective of frequency. In this study, we investigate the effect of the amplitude and phase spectra of adversarial images on the robustness of CNN classifiers. Extensive experiments revealed that the images generated by combining the amplitude spectrum of adversarial images and the phase spectrum of clean images accommodates moderate and general perturbations, and training with these images equips a CNN classifier with more general robustness, performing well under both common corruptions and adversarial perturbations. We also found that two types of overfitting (catastrophic overfitting and robust overfitting) can be circumvented by the aforementioned spectrum recombination. We believe that these results contribute to the understanding and the training of truly robust classifiers.