Adversarial attacks and defenses using feature-space stochasticity

Recent studies in deep neural networks have shown that injecting random noise in the input layer of the networks contributes towards tp-norm-bounded adversarial perturbations. However, to defend against unrestricted adversarial examples, most of which are not tp-norm-bounded in the input layer, such input-layer random noise may not be sufficient. In the first part of this study, we generated a novel class of unrestricted adversarial examples termed feature-space adversarial examples. These examples are far from the original data in the input space but adjacent to the original data in a hiddenlayer feature space and far again in the output layer. In the second part of this study, we empirically showed that while injecting random noise in the input layer was unable to defend these feature-space adversarial examples, they were defended by injecting random noise in the hidden layer. These results highlight the novel benefit of stochasticity in higher layers, in that it is useful for defending against these feature-space adversarial examples, a class of unrestricted adversarial examples. (c) 2023 Elsevier Ltd. All rights reserved.