Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Invariance-powered Trustworthy Defense via Remove Then Restore

Xiaowei Fu, Yuhang Zhou, Lina Ma, Lei Zhang

TL;DR

The paper tackles the challenge of generalizing adversarial robustness beyond known attacks by exploiting attack-invariance. It introduces Pixel Surgery and Semantic Regeneration (PSSR), a two-stage defense that first removes salient perturbations and then regenerates healthy semantics via a Conditional Alignment Extrapolator with Adversarial R-Drop to reconcile robustness with accuracy. The approach is validated on MNIST, CIFAR-10, and CIFAR-100 against a suite of gradient-based and optimization-based attacks, including adaptive BPDA, showing competitive or superior performance and improved interpretability through visualization analyses. The work offers a principled framework for attack decomposition and invariance-based defense, with potential practical impact for safer deployment of DNNs in vision tasks.

Abstract

Adversarial attacks pose a challenge to the deployment of deep neural networks (DNNs), while previous defense models overlook the generalization to various attacks. Inspired by targeted therapies for cancer, we view adversarial samples as local lesions of natural benign samples, because a key finding is that salient attack in an adversarial sample dominates the attacking process, while trivial attack unexpectedly provides trustworthy evidence for obtaining generalizable robustness. Based on this finding, a Pixel Surgery and Semantic Regeneration (PSSR) model following the targeted therapy mechanism is developed, which has three merits: 1) To remove the salient attack, a score-based Pixel Surgery module is proposed, which retains the trivial attack as a kind of invariance information. 2) To restore the discriminative content, a Semantic Regeneration module based on a conditional alignment extrapolator is proposed, which achieves pixel and semantic consistency. 3) To further harmonize robustness and accuracy, an intractable problem, a self-augmentation regularizer with adversarial R-drop is designed. Experiments on numerous benchmarks show the superiority of PSSR.

Invariance-powered Trustworthy Defense via Remove Then Restore

TL;DR

The paper tackles the challenge of generalizing adversarial robustness beyond known attacks by exploiting attack-invariance. It introduces Pixel Surgery and Semantic Regeneration (PSSR), a two-stage defense that first removes salient perturbations and then regenerates healthy semantics via a Conditional Alignment Extrapolator with Adversarial R-Drop to reconcile robustness with accuracy. The approach is validated on MNIST, CIFAR-10, and CIFAR-100 against a suite of gradient-based and optimization-based attacks, including adaptive BPDA, showing competitive or superior performance and improved interpretability through visualization analyses. The work offers a principled framework for attack decomposition and invariance-based defense, with potential practical impact for safer deployment of DNNs in vision tasks.

Abstract

Adversarial attacks pose a challenge to the deployment of deep neural networks (DNNs), while previous defense models overlook the generalization to various attacks. Inspired by targeted therapies for cancer, we view adversarial samples as local lesions of natural benign samples, because a key finding is that salient attack in an adversarial sample dominates the attacking process, while trivial attack unexpectedly provides trustworthy evidence for obtaining generalizable robustness. Based on this finding, a Pixel Surgery and Semantic Regeneration (PSSR) model following the targeted therapy mechanism is developed, which has three merits: 1) To remove the salient attack, a score-based Pixel Surgery module is proposed, which retains the trivial attack as a kind of invariance information. 2) To restore the discriminative content, a Semantic Regeneration module based on a conditional alignment extrapolator is proposed, which achieves pixel and semantic consistency. 3) To further harmonize robustness and accuracy, an intractable problem, a self-augmentation regularizer with adversarial R-drop is designed. Experiments on numerous benchmarks show the superiority of PSSR.
Paper Structure (15 sections, 12 equations, 10 figures, 4 tables)

This paper contains 15 sections, 12 equations, 10 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Attack
  4. Adversarial Defense
  5. Methodology
  6. Preliminary
  7. Pixel Surgery and Semantic Regeneration
  8. Experiments
  9. Datasets and Backbones
  10. Adversarial Attack Methods
  11. Implementation Details
  12. Main Results to Advanced Attacks
  13. Ablation Analysis
  14. Interpretability of PSSR
  15. Conclusion

Figures (10)

  • Figure 1: Attacking performances. The salient attacks dominate the wrong prediction comparable to the full attack, while the trivial attacks show significant adversarial robustness.
  • Figure 2: Trivial components and heatmaps are obtained by directly removing the salient pixels of each adversarial sample.
  • Figure 3: Adversarial sample is a local lesion of a benign sample and our PSSR is analogy to the targeted treatment and cell regeneration.
  • Figure 4: $\rm PSSR$ consists of two stages: Scoring-based pixel surgery (PS) and natural semantic regeneration (SR). SR consists of a conditional alignment extrapolator (CAE) and an adversarial R-Drop (ARD) regularizer. The input is not limited to adversarial samples.
  • Figure 5: CAE outputs "True" if and only if the regenerated samples meet three necessary conditions, i.e., without residual perturbation, blurred and unpaired extrapolations.
  • ...and 5 more figures