Shape Defense
Keywords: adversarial robustness,adversarial defense,adversarial attack,shape,adversarial robustness,adversarial defense,adversarial defense,adversarial defense
TL;DR: Inspired by human vision, we propose two adversarial defense methods that utilize shape, and show that edge redetection makes models robust to adversarial attacks such as FGSM and PGD-40.
Abstract: Humans rely heavily on shape information to recognize objects. Conversely,
convolutional neural networks (CNNs) are biased more towards texture. This fact
is perhaps the main reason why CNNs are susceptible to adversarial examples.
Here, we explore how shape bias can be incorporated into CNNs to improve
their robustness. Two algorithms are proposed, based on the observation that
edges are invariant to moderate imperceptible perturbations. In the first one, a
classifier is adversarially trained on images with the edge map as an additional
channel. At inference time, the edge map is recomputed and concatenated to the
image. In the second algorithm, a conditional GAN is trained to translate the edge
maps, from clean and/or perturbed images, into clean images. The inference is
done over the generated image corresponding to the input’s edge map. A large
number of experiments with more than 10 data sets demonstrate the effectiveness
of the proposed algorithms against FGSM, L inf PGD, substitute, Carlini-Wagner,
Boundary, and adaptive attacks (the latter are shown in appendices B, C, D, and E in
order). From a broader perspective, our study suggests that CNNs do not adequately
account for image structures and operations that are crucial for robustness. The
code is available at: https://github.com/aliborji/ShapeDefense.git
Category: Stuck paper: I hope to get ideas in this workshop that help me unstuck and improve this paper
Community Implementations: [ 8 code implementations](https://www.catalyzex.com/paper/arxiv:2008.13336/code)
1 Reply
Loading