Learn Robust Features via Orthogonal Multi-Path
Keywords: adversarial robustness, orthogonal multi-path
Abstract: It is now widely known that by adversarial attacks, clean images with invisible perturbations can fool deep neural networks.
To defend adversarial attacks, we design a block containing multiple paths to learn robust features and the parameters of these paths are required to be orthogonal with each other.
The so-called Orthogonal Multi-Path (OMP) block could be posed in any layer of a neural network.
Via forward learning and backward correction, one OMP block makes the neural networks learn features that are appropriate for all the paths and hence are expected to be robust. With careful design and thorough experiments on e.g., the positions of imposing orthogonality constraint, and the trade-off between the variety and accuracy,
the robustness of the neural networks is significantly improved.
For example, under white-box PGD attack with $l_\infty$ bound ${8}/{255}$ (this is a fierce attack that can make the accuracy of many vanilla neural networks drop to nearly $10\%$ on CIFAR10), VGG16 with the proposed OMP block could keep over $50\%$ accuracy. For black-box attacks, neural networks equipped with an OMP block have accuracy over $80\%$. The performance under both white-box and black-box attacks is much better than the existing state-of-the-art adversarial defenders.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
One-sentence Summary: We propose a novel defence method via embedding orthogonal multi-path into a neural network to enhance the robustness.
Community Implementations: [ 2 code implementations](https://www.catalyzex.com/paper/arxiv:2010.12190/code)
Reviewed Version (pdf): https://openreview.net/references/pdf?id=Clfefo-yeF
9 Replies
Loading