Evaluating Impact of Image Transformations on Adversarial Examples

Deep learning has revolutionized image recognition. One significant obstacle still remains, the vulnerability of these models to adversarial attacks. These attacks manipulate images with subtle changes that cause CNN misclassification. While methods, such as adversarial training, have been proposed to defend against adversarial attacks, they incur additional training costs, either extra input samples or auxiliary models. In this work, we propose an efficient approach to deploying robust models that utilize image transformations to remove adversarial noises. We investigate the performance of simple transformations and report several effective ones, including Affine blur, Gaussian blur, Median blur, and Bilateral blur against various adversarial attack methods, such as Fast Gradient Sign Method (FGSM), Randomized + FGSM (RFGSM), and Projected Gradient Descent (PGD). We apply these image transformation techniques to the widely used ImageNet dataset, and experimental results demonstrate the potential of image transformation methods as a strong defense against adversarial attacks in deep learning-based image classification systems, especially when combined with cutting-edge neural network architectures such as ResNet50 and DenseNet121. Our comprehensive results show that these transformations can significantly improve the robustness of CNN models against adversarial attacks on ImageNet, achieving a recovery rate of up to 85% to 90% without incurring extra resource costs.