First line of defense: A robust first layer mitigates adversarial attacks

TL;DR

This paper introduces a robust first layer design for neural networks that acts as an implicit adversarial noise filter, improving adversarial robustness without the need for adversarial training.

Contribution

The authors propose a novel first layer architecture with large kernels, more filters, and maxpooling that enhances robustness across multiple models and datasets.

Findings

Achieves higher adversarial accuracy than existing natively robust models.

Produces smoother loss surfaces and better decision margins.

Attenuates high-frequency noise and improves denoising capabilities.

Abstract

Adversarial training (AT) incurs significant computational overhead, leading to growing interest in designing inherently robust architectures. We demonstrate that a carefully designed first layer of the neural network can serve as an implicit adversarial noise filter (ANF). This filter is created using a combination of large kernel size, increased convolution filters, and a maxpool operation. We show that integrating this filter as the first layer in architectures such as ResNet, VGG, and EfficientNet results in adversarially robust networks. Our approach achieves higher adversarial accuracies than existing natively robust architectures without AT and is competitive with adversarial-trained architectures across a wide range of datasets. Supporting our findings, we show that (a) the decision regions for our method have better margins, (b) the visualized loss surfaces are smoother, (c) the modified peak signal-to-noise ratio (mPSNR) values at the output of the ANF are higher, (d) high-frequency components are more attenuated, and (e) architectures incorporating ANF exhibit better denoising in Gaussian noise compared to baseline architectures. Code for all our experiments are available at \url{https://github.com/janani-suresh-97/first-line-defence.git}.