Countering Adversarial Images using Input Transformations

TL;DR

The paper investigates model-agnostic input-transform defenses against adversarial image perturbations on ImageNet, focusing on cropping-rescaling, bit-depth reduction, JPEG compression, total variation minimization (TVM), and image quilting. TVM and image quilting emerge as the strongest defenses due to non-differentiability and randomness, especially when networks are trained on transformed data. In gray-box and black-box settings, these transformations reduce attack success substantially, with quilting defending up to 80–90% of attacks in some cases and overall robustness improved via ensembling and model transfer. The work highlights the importance of randomness and non-differentiability in defenses and suggests combining input transformations with other strategies for enhanced adversarial robustness across domains.

Abstract

This paper investigates strategies that defend against adversarial-example attacks on image-classification systems by transforming the inputs before feeding them to the system. Specifically, we study applying image transformations such as bit-depth reduction, JPEG compression, total variance minimization, and image quilting before feeding the image to a convolutional network classifier. Our experiments on ImageNet show that total variance minimization and image quilting are very effective defenses in practice, in particular, when the network is trained on transformed images. The strength of those defenses lies in their non-differentiable nature and their inherent randomness, which makes it difficult for an adversary to circumvent the defenses. Our best defense eliminates 60% of strong gray-box and 90% of strong black-box attacks by a variety of major attack methods

Figures (6)

• Figure 1: Adversarial images and corresponding perturbations at five levels of normalized $L_2$-dissimilarity for all four attacks.
• Figure 2: Illustration of total variance minimization and image quilting applied to an original and an adversarial image (produced using I-FGSM with $\epsilon \!=\! 0.03$, corresponding to a normalized $L_2$-dissimilarity of 0.075). From left to right, the columns correspond to: (1) no transformation, (2) total variance minimization, and (3) image quilting. From top to bottom, rows correspond to: (1) the original image, (2) the corresponding adversarial image produced by I-FGSM, and (3) the absolute difference between the two images above. Difference images were multiplied by a constant scaling factor to increase visibility.
• Figure 3: Block diagram detailing the differences between the experimental setups in Section \ref{['results_part1']}, \ref{['results_part2']}, and \ref{['results_part3']}. We train networks (a) on regular images or (b) on transformed images; we test the networks on transformed adversarial images. For each of the three setups, dashed arrows indicate which model is used by the adversary and which model is used by the classification model.
• Figure 4: Top-1 classification accuracy of ResNet-50 tested on transformed adversarial images produced by four attacks using five image transformations in a gray-box setting: (1) cropping-rescaling, (2) bit-depth reduction, (3) JPEG compression, (4) total variance minimization, and (5) image quilting. The dotted line shows the top-1 accuracy of the ResNet-50 model on non-adversarial images, providing an upper bound on the effectiveness of a defense. An $L_2$-dissimilarity of $0.00$ corresponds to the classification accuracy on non-adversarial images. Higher is better.
• Figure 5: Top-1 classification accuracy of ResNet-50 trained and tested on transformed adversarial images produced by four attacks using five image transformations in a black-box setting: (1) cropping-rescaling, (2) bit-depth reduction, (3) JPEG compression, (4) total variance minimization, and (5) image quilting. The dotted line represents the top-1 accuracy of the ResNet-50 model on non-adversarial images, providing an upper bound on the effectiveness of a defense. An $L_2$-dissimilarity of $0.00$ corresponds to the classification accuracy on non-adversarial images. Higher is better.