Adversarial Defenses via Vector Quantization

TL;DR

This paper introduces a novel vector quantization-based preprocessing framework for defending deep neural networks against adversarial attacks, achieving state-of-the-art robustness with certifiable guarantees and effectiveness against advanced attack methods.

Contribution

It extends randomized discretization with vector quantization, providing a theoretically grounded, practical defense framework with two lightweight methods, pRD and swRD, that outperform previous approaches.

Findings

State-of-the-art robust accuracy with vector quantization defenses

Effective against STE and EOT attacks designed for gradient obfuscation

Certifiable robustness guarantees provided by the framework

Abstract

Adversarial attacks pose significant challenges to the robustness of modern deep neural networks in computer vision, and defending these networks against adversarial attacks has attracted intense research efforts. Among various defense strategies, preprocessing-based defenses are practically appealing since there is no need to train the network under protection. However, such approaches typically do not achieve comparable robustness as other methods such as adversarial training. In this paper, we propose a novel framework for preprocessing-based defenses, where a vector quantizer is used as a preprocessor. This framework, inspired by and extended from Randomized Discretization (RandDisc), is theoretically principled by rate-distortion theory: indeed, RandDisc may be viewed as a scalar quantizer, and rate-distortion theory suggests that such quantization schemes are inferior to vector quantization. In our framework, the preprocessing vector quantizer treats the input image as a collection of patches and finds a set of representative patches based on the patch distributions; each original patch is then modified according to the representative patches close to it. We present two lightweight defenses in this framework, referred to as patched RandDisc (pRD) and sliding-window RandDisc (swRD), where the patches are disjoint in the former and overlapping in the latter. We show that vector-quantization-based defenses have certifiable robust accuracy and that pRD and swRD demonstrate state-of-the-art performances, surpassing RandDisc by a large margin. Notably, the proposed defenses possess the obfuscated gradients property. Our experiments however show that pRD and swRD remain effective under the STE and EOT attacks, which are designed specifically for defenses with gradient obfuscation. ...