Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mitigating Adversarial Effects Through Randomization

Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, Alan Yuille

TL;DR

CNNs are highly vulnerable to adversarial examples, motivating a defense based on inference-time randomization. The authors introduce random resizing and random padding as light, training-free layers that generate many input patterns, reducing perturbation transfer and boosting robustness—especially against iterative attacks—when combined with adversarial training. Across ImageNet-scale experiments and the NIPS 2017 defense challenge, the approach markedly improves resilience and achieves state-of-the-art-performance when paired with ensemble adversarial training, while preserving clean-image accuracy. The method is simple, fast, and compatible with various architectures, making it a practical module for adversarial defense with publicly available code.

Abstract

Convolutional neural networks have demonstrated high accuracy on various tasks in recent years. However, they are extremely vulnerable to adversarial examples. For example, imperceptible perturbations added to clean images can cause convolutional neural networks to fail. In this paper, we propose to utilize randomization at inference time to mitigate adversarial effects. Specifically, we use two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input images in a random manner. Extensive experiments demonstrate that the proposed randomization method is very effective at defending against both single-step and iterative attacks. Our method provides the following advantages: 1) no additional training or fine-tuning, 2) very few additional computations, 3) compatible with other adversarial defense methods. By combining the proposed randomization method with an adversarially trained model, it achieves a normalized score of 0.924 (ranked No.2 among 107 defense teams) in the NIPS 2017 adversarial examples defense challenge, which is far better than using adversarial training alone with a normalized score of 0.773 (ranked No.56). The code is public available at https://github.com/cihangxie/NIPS2017_adv_challenge_defense.

Mitigating Adversarial Effects Through Randomization

TL;DR

CNNs are highly vulnerable to adversarial examples, motivating a defense based on inference-time randomization. The authors introduce random resizing and random padding as light, training-free layers that generate many input patterns, reducing perturbation transfer and boosting robustness—especially against iterative attacks—when combined with adversarial training. Across ImageNet-scale experiments and the NIPS 2017 defense challenge, the approach markedly improves resilience and achieves state-of-the-art-performance when paired with ensemble adversarial training, while preserving clean-image accuracy. The method is simple, fast, and compatible with various architectures, making it a practical module for adversarial defense with publicly available code.

Abstract

Convolutional neural networks have demonstrated high accuracy on various tasks in recent years. However, they are extremely vulnerable to adversarial examples. For example, imperceptible perturbations added to clean images can cause convolutional neural networks to fail. In this paper, we propose to utilize randomization at inference time to mitigate adversarial effects. Specifically, we use two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input images in a random manner. Extensive experiments demonstrate that the proposed randomization method is very effective at defending against both single-step and iterative attacks. Our method provides the following advantages: 1) no additional training or fine-tuning, 2) very few additional computations, 3) compatible with other adversarial defense methods. By combining the proposed randomization method with an adversarially trained model, it achieves a normalized score of 0.924 (ranked No.2 among 107 defense teams) in the NIPS 2017 adversarial examples defense challenge, which is far better than using adversarial training alone with a normalized score of 0.773 (ranked No.56). The code is public available at https://github.com/cihangxie/NIPS2017_adv_challenge_defense.

Paper Structure

This paper contains 24 sections, 1 equation, 5 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Generating Adversarial Examples
  4. Defending Against Adversarial Examples
  5. Approach
  6. An Overview of Generating Adversarial Examples
  7. Defending Against Adversarial Examples
  8. Randomization Layers
  9. Randomization Layers + Adversarial Training
  10. Experiments
  11. Experiment Setup
  12. Clean Images
  13. Vanilla Attack Scenario
  14. Single-Pattern Attack Scenario
  15. Ensemble-Pattern Attack Scenario
  16. ...and 9 more sections

Figures (5)

  • Figure 1: This is an adversarial example crafted for VGG simonyan2015very. The left image is classified correctly as king penguin, the center image is the adversarial perturbation (magnified by 10 and enlarged by 128 for better visualization), and the right image is the adversarial example misclassfied as chihuahua.
  • Figure 2: The pipeline of our randomization-based defense mechanism. The input image $X_n$ first goes through the random resizing layer with a random scale applied. Then the random padding layer pads the resized image $X_n^{\prime}$ in a random manner. The resulting padded image $X_n^{\prime\prime}$ is used for classification.
  • Figure 3: Top-$1$ classification accuracy on the clean images and the adversarial examples generated under the vanilla attack scenrio.
  • Figure 4: Top-$1$ classification accuracy on the adversarial examples generated under the single-pattern attack scenrio.
  • Figure 5: Top-$1$ classification accuracy on the adversarial examples generated under the ensemble-pattern attack scenrio.