A Mask-Based Adversarial Defense Scheme

TL;DR

This paper introduces MAD, a simple yet effective mask-based method that enhances DNN robustness against adversarial attacks without modifying the network architecture or requiring denoising modules.

Contribution

The proposed MAD scheme is a novel, architecture-agnostic defense technique that improves adversarial robustness by randomly masking parts of input images during training and inference.

Findings

Significantly improves DNN robustness against various adversarial attacks.

Increases classification accuracy by up to 90% in some scenarios.

Does not require changes to DNN architecture or additional denoising modules.

Abstract

Adversarial attacks hamper the functionality and accuracy of Deep Neural Networks (DNNs) by meddling with subtle perturbations to their inputs.In this work, we propose a new Mask-based Adversarial Defense scheme (MAD) for DNNs to mitigate the negative effect from adversarial attacks. To be precise, our method promotes the robustness of a DNN by randomly masking a portion of potential adversarial images, and as a result, the %classification result output of the DNN becomes more tolerant to minor input perturbations. Compared with existing adversarial defense techniques, our method does not need any additional denoising structure, nor any change to a DNN's design. We have tested this approach on a collection of DNN models for a variety of data sets, and the experimental results confirm that the proposed method can effectively improve the defense abilities of the DNNs against all of the tested adversarial attack methods. In certain scenarios, the DNN models trained with MAD have improved classification accuracy by as much as 20% to 90% compared to the original models that are given adversarial inputs.