Defending against adversarial attacks using spherical sampling-based variational auto-encoder

Although deep neural networks achieve outstanding performance in many tasks, adding very imperceptible perturbations to clean images can easily fool the deep neural network. In this paper, we propose a new defence model: Adversarial Memory Variational AutoEncoder(AdMVAE), that can be used to transform adversarial images into clean images. At inference time, it finds an output that is similar to a given image in a high probability region of the manifold space. And the memory module uses normal features to reconstruct the image in the process of reconstruction. It can effectively prevent the reconstruction of malicious perturbations and avoid defense failure. Our approach is a pre-processing module that does not change the results of the classifier. Therefore, it can be combined with other defence models to jointly improve the performance robustness of the classifier. The experimental results on three benchmark data sets including Fashion-MNIST, CIFAR10 and Imagenet show that the proposed method outperforms the state-of-the-art defense methods. (c) 2021 Elsevier B.V. All rights reserved.