Jacobian Norm with Selective Input Gradient Regularization for Improved and Interpretable Adversarial Defense

TL;DR

This paper introduces J-SIGR, a novel regularization method that enhances neural network robustness against adversarial attacks while also improving interpretability of the model's predictions.

Contribution

The work proposes a new Jacobian-based regularization technique that simultaneously boosts adversarial robustness and interpretability of deep neural networks.

Findings

J-SIGR improves robustness against transferred adversarial attacks.

The method produces more interpretable neural network predictions.

Experiments across various architectures validate effectiveness.

Abstract

Deep neural networks (DNNs) are known to be vulnerable to adversarial examples that are crafted with imperceptible perturbations, i.e., a small change in an input image can induce a mis-classification, and thus threatens the reliability of deep learning based deployment systems. Adversarial training (AT) is often adopted to improve robustness through training a mixture of corrupted and clean data. However, most of AT based methods are ineffective in dealing with transferred adversarial examples which are generated to fool a wide spectrum of defense models, and thus cannot satisfy the generalization requirement raised in real-world scenarios. Moreover, adversarially training a defense model in general cannot produce interpretable predictions towards the inputs with perturbations, whilst a highly interpretable robust model is required by different domain experts to understand the behaviour of a DNN. In this work, we propose a novel approach based on Jacobian norm and Selective Input Gradient Regularization (J-SIGR), which suggests the linearized robustness through Jacobian normalization and also regularizes the perturbation-based saliency maps to imitate the model's interpretable predictions. As such, we achieve both the improved defense and high interpretability of DNNs. Finally, we evaluate our method across different architectures against powerful adversarial attacks. Experiments demonstrate that the proposed J-SIGR confers improved robustness against transferred adversarial attacks, and we also show that the predictions from the neural network are easy to interpret.