Robust Image Classification in the Presence of Out-of-Distribution and Adversarial Samples Using Attractors in Neural Networks

TL;DR

This paper introduces a neural network approach that uses training samples as attractors to improve robustness against out-of-distribution and adversarial samples, maintaining high accuracy even under severe perturbations.

Contribution

The study proposes a novel neural network method that enhances robustness to OOD and adversarial samples by training with attractors, outperforming existing methods under high perturbation levels.

Findings

Achieves 87.13% accuracy on highly perturbed MNIST adversarial examples.

Distinguishes OOD samples from MNIST with over 98% accuracy.

Maintains high robustness with minimal performance drop under severe attacks.

Abstract

The proper handling of out-of-distribution (OOD) samples in deep classifiers is a critical concern for ensuring the suitability of deep neural networks in safety-critical systems. Existing approaches developed for robust OOD detection in the presence of adversarial attacks lose their performance by increasing the perturbation levels. This study proposes a method for robust classification in the presence of OOD samples and adversarial attacks with high perturbation levels. The proposed approach utilizes a fully connected neural network that is trained to use training samples as its attractors, enhancing its robustness. This network has the ability to classify inputs and identify OOD samples as well. To evaluate this method, the network is trained on the MNIST dataset, and its performance is tested on adversarial examples. The results indicate that the network maintains its performance even when classifying adversarial examples, achieving 87.13% accuracy when dealing with highly perturbed MNIST test data. Furthermore, by using fashion-MNIST and CIFAR-10-bw as OOD samples, the network can distinguish these samples from MNIST samples with an accuracy of 98.84% and 99.28%, respectively. In the presence of severe adversarial attacks, these measures decrease slightly to 98.48% and 98.88%, indicating the robustness of the proposed method.