Improving Adversarial Robustness via Feature Pattern Consistency Constraint

TL;DR

This paper introduces a novel Feature Pattern Consistency Constraint (FPCC) method that enhances CNN robustness against adversarial attacks by reinforcing correct feature patterns in latent representations, without relying on adversarial training.

Contribution

The paper proposes the FPCC method, including spatial-wise modification and channel-wise selection, to improve latent feature robustness and generalization to unseen adversarial examples.

Findings

FPCC improves adversarial robustness over state-of-the-art models.

Latent features maintain correct patterns under attack.

Method enhances robustness without adversarial training.

Abstract

Convolutional Neural Networks (CNNs) are well-known for their vulnerability to adversarial attacks, posing significant security concerns. In response to these threats, various defense methods have emerged to bolster the model's robustness. However, most existing methods either focus on learning from adversarial perturbations, leading to overfitting to the adversarial examples, or aim to eliminate such perturbations during inference, inevitably increasing computational burdens. Conversely, clean training, which strengthens the model's robustness by relying solely on clean examples, can address the aforementioned issues. In this paper, we align with this methodological stream and enhance its generalizability to unknown adversarial examples. This enhancement is achieved by scrutinizing the behavior of latent features within the network. Recognizing that a correct prediction relies on the correctness of the latent feature's pattern, we introduce a novel and effective Feature Pattern Consistency Constraint (FPCC) method to reinforce the latent feature's capacity to maintain the correct feature pattern. Specifically, we propose Spatial-wise Feature Modification and Channel-wise Feature Selection to enhance latent features. Subsequently, we employ the Pattern Consistency Loss to constrain the similarity between the feature pattern of the latent features and the correct feature pattern. Our experiments demonstrate that the FPCC method empowers latent features to uphold correct feature patterns even in the face of adversarial examples, resulting in inherent adversarial robustness surpassing state-of-the-art models.