Cost-free adversarial defense: Distance-based optimization for model robustness without adversarial training

被引:3
作者
Seo, Seungwan [1 ]
Lee, Yunseung [1 ]
Kang, Pilsung [1 ]
机构
[1] Korea Univ, Sch Ind & Management Engn, Seoul, South Korea
基金
新加坡国家研究基金会;
关键词
Adversarial defense; White-box attack; Adversarial robustness; Distance-based defense;
D O I
10.1016/j.cviu.2022.103599
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Although convolutional neural networks (CNNs) have advanced to demonstrate superior performance in image classification tasks that often surpass human capability, the feature space of CNNs, which are trained using a typical training method, is limited by the smaller-than-expected inter-class variances. Consequently, CNNs are prone to misclassifying adversarial examples with high confidence, and the difference between an adversarial example and a normal input is indistinguishable by human beings. To alleviate this problem, we propose a training methodology that defends against adversarial attacks through a constraint that applies a class-specific differentiation to the feature space of CNNs. The proposed methodology first forces the feature representations that corresponding to each class to be localized on the hypersphere surface with a particular radius. The forced representation is then trained to be located as close to the center of the hypersphere as possible, resulting in feature representations with a small intra-class variance and large inter-class variances. The experimental results reveal that the proposed two-step training method enhances defense performance by 17.1%p and demonstrates a training speed of up to 30 times faster than the existing distance-based adversarial defense methodology. The code is available at: https://github.com/lepoeme20/cost-free-adversarial-defense
引用
收藏
页数:9
相关论文
共 40 条
  • [1] Partial FC: Training 10 Million Identities on a Single Machine
    An, Xiang
    Zhu, Xuhan
    Gao, Yuan
    Xiao, Yang
    Zhao, Yongle
    Feng, Ziyong
    Wu, Lan
    Qin, Bin
    Zhang, Ming
    Zhang, Debing
    Fu, Ying
    [J]. 2021 IEEE/CVF INTERNATIONAL CONFERENCE ON COMPUTER VISION WORKSHOPS (ICCVW 2021), 2021, : 1445 - 1449
  • [2] Arjovsky M., 2017, P INT C LEARN REPR T
  • [3] Athalye A, 2018, PR MACH LEARN RES, V80
  • [4] Buckman J., 2018, THERMOMETER ENCODING
  • [5] Towards Evaluating the Robustness of Neural Networks
    Carlini, Nicholas
    Wagner, David
    [J]. 2017 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2017, : 39 - 57
  • [6] Encoder-Decoder with Atrous Separable Convolution for Semantic Image Segmentation
    Chen, Liang-Chieh
    Zhu, Yukun
    Papandreou, George
    Schroff, Florian
    Adam, Hartwig
    [J]. COMPUTER VISION - ECCV 2018, PT VII, 2018, 11211 : 833 - 851
  • [7] Boosting Adversarial Attacks with Momentum
    Dong, Yinpeng
    Liao, Fangzhou
    Pang, Tianyu
    Su, Hang
    Zhu, Jun
    Hu, Xiaolin
    Li, Jianguo
    [J]. 2018 IEEE/CVF CONFERENCE ON COMPUTER VISION AND PATTERN RECOGNITION (CVPR), 2018, : 9185 - 9193
  • [8] Fawzi A, 2016, ADV NEUR IN, V29
  • [9] Analysis of classifiers' robustness to adversarial perturbations
    Fawzi, Alhussein
    Fawzi, Omar
    Frossard, Pascal
    [J]. MACHINE LEARNING, 2018, 107 (03) : 481 - 508
  • [10] Foret P., 2020, INT C LEARNING REPRE