Ensemble Generative Cleaning With Feedback Loops for Defending Adversarial Attacks

Jianhe Yuan, Zhihai He; The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2020, pp. 581-590

Abstract


Effective defense of deep neural networks against adversarial attacks remains a challenging problem, especially under powerful white-box attacks. In this paper, we develop a new method called ensemble generative cleaning with feedback loops (EGC-FL) for effective defense of deep neural networks. The proposed EGC-FL method is based on two central ideas. First, we introduce a transformed deadzone layer into the defense network, which consists of an orthonormal transform and a deadzone-based activation function, to destroy the sophisticated noise pattern of adversarial attacks. Second, by constructing a generative cleaning network with a feedback loop, we are able to generate an ensemble of diverse estimations of the original clean image. We then learn a network to fuse this set of diverse estimations together to restore the original image. Our extensive experimental results demonstrate that our approach improves the state-of-art by large margins in both white-box and black-box attacks. It significantly improves the classification accuracy for white-box PGD attacks upon the second best method by more than 29% on the SVHN dataset and more than 39% on the challenging CIFAR-10 dataset.

Related Material


[pdf]
[bibtex]
@InProceedings{Yuan_2020_CVPR,
author = {Yuan, Jianhe and He, Zhihai},
title = {Ensemble Generative Cleaning With Feedback Loops for Defending Adversarial Attacks},
booktitle = {The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},
month = {June},
year = {2020}
}