Go to DBLP homepageFeature Map Purification for Enhancing Adversarial Robustness of Deep Timeseries Classifiers
Abstract: Deep-learning based timeseries classifiers are known to be susceptible to adversarial attacks, where the adversary adds imperceptible perturbations to the input sample to cause mis-classification. While principled adversarial defense mechanisms such as adversarial training and certified robustness have been proposed for image classifiers, they have seldom been studied in the timeseries domain. Existing defenses for timeseries classifiers are primarily centered around adversarial sample detection, but have mixed performance and fail to generalize well across attacks. This work proposes an alternative approach based on purifying the intermediate representations within a deep convolutional timeseries (DCT) classifier. We design a learnable sub-network with residual connections that filters the feature maps in multiple wavelet basis spaces to suppress the adversarial perturbations. Given any pretrained non-robust DCT classifier, the proposed feature map purification (FeMPure) module can be trained in isolation without affecting the given classifier and can be seamlessly plugged back in to enhance the adversarial robustness of the original classifier. Experiments based on 2 well-known architectures for DCT classifiers, 6 adversarial attacks, and 80 public-domain datasets demonstrate that the proposed FeMPure approach can provide good adversarial robustness, irrespective of whether the adversary is unaware or has full knowledge of the defense mechanism. With minor modifications, the FeMPure approach can also be employed for adversarial sample detection or for enhancing certified robustness.
Loading