Adaptive Batch Normalization Networks for Adversarial Robustness

TL;DR

This paper introduces ABNN, a novel adversarial defense method that uses adaptive Batch Normalization with a pre-trained substitute model, achieving robustness without the extensive training time of traditional adversarial training.

Contribution

The paper proposes ABNN, a non-adversarial training defense leveraging adaptive Batch Normalization and a substitute model to improve robustness efficiently.

Findings

ABNN enhances adversarial robustness against digital and physical attacks.

ABNN achieves higher clean data performance.

ABNN significantly reduces training time compared to adversarial training.

Abstract

Deep networks are vulnerable to adversarial examples. Adversarial Training (AT) has been a standard foundation of modern adversarial defense approaches due to its remarkable effectiveness. However, AT is extremely time-consuming, refraining it from wide deployment in practical applications. In this paper, we aim at a non-AT defense: How to design a defense method that gets rid of AT but is still robust against strong adversarial attacks? To answer this question, we resort to adaptive Batch Normalization (BN), inspired by the recent advances in test-time domain adaptation. We propose a novel defense accordingly, referred to as the Adaptive Batch Normalization Network (ABNN). ABNN employs a pre-trained substitute model to generate clean BN statistics and sends them to the target model. The target model is exclusively trained on clean data and learns to align the substitute model's BN statistics. Experimental results show that ABNN consistently improves adversarial robustness against both digital and physically realizable attacks on both image and video datasets. Furthermore, ABNN can achieve higher clean data performance and significantly lower training time complexity compared to AT-based approaches.