Adversarial Robustness via Deformable Convolution with Stochasticity

Published: 01 May 2025, Last Modified: 18 Jun 2025ICML 2025 posterEveryoneRevisionsBibTeXCC BY 4.0
TL;DR: This paper introduced a random structural adversarial defense method called DCS, inspired by DeConv, and an adaptive AT method for DCS to help it reach and exceed SOTA level.
Abstract: Random defense represents a promising strategy to protect neural networks from adversarial attacks. Most of these methods enhance robustness by injecting randomness into the data, increasing uncertainty for attackers. However, this randomness could reduce the generalization capacity of defense, as defense performance could be sensitive to the hyperparameters of noise added to the data, making it difficult to generalize across different datasets. Additionally, the involvement of randomness always comes with a reduction of natural accuracy, which leads to a delicate trade-off between them, which is seldom studied in random defense. In this work, we propose incorporating randomness into the network structure instead of data input by designing stochastic deformable convolution, where a random mask replaces the convolutional offset. This process promotes data independence, enhancing generalization across datasets. To study the trade-off, we conduct a theoretical analysis of both robust and clean accuracy, from a perspective of gradient cosine similarity and natural inference. Based on the analysis, we reformulate the adversarial training in our random defense framework. Extensive experiments show that our method achieves SOTA adversarial robustness and clean accuracy compared with other random defense methods.
Lay Summary: This paper introduced an advanced method called DCS to avoid the risk of attacks on neural networks by adding some randomized structures. In addition, a detailed learning and reasoning framework is designed for this method to help users quickly apply it to their own application scenarios. The main advancements of this work are: 1. The DCS method still has the current Most Advanced (state-of-the-art) stability under strong attacks. 2. The DCS method can be lightly deployed in complex scenarios: it does not require customers to re-parameterize for the usage scenarios, which will save a lot of deployment costs. 3. The DCS method is applicable to most of the current mainstream neural network classifiers, including most of the Vision Transformers and Convolution neural networks. 4. The DCS method has a complete set of training and inference solutions: users can simply follow our method, or easily port DCS to their models and use the training and inference solution given by this paper.
Link To Code: https://github.com/theSleepyPig/Deformable_Convolution_with_Stochasticity
Primary Area: Deep Learning->Robustness
Keywords: Adversarial Robustness; Mechine Learning
Submission Number: 15534
Loading