Test-Time Defense Against Adversarial Attacks via Stochastic Resonance of Latent Ensembles

TL;DR

The paper addresses the vulnerability of deep nets to adversarial perturbations by introducing a test-time defense based on stochastic resonance in latent space. It applies small integer-pixel translations to inputs and ensembles the transformed embeddings via a latent-space push-forward/inverse operation, yielding a training-free, architecture-agnostic defense. The approach delivers state-of-the-art robustness on image classification and extends to dense prediction tasks like stereo matching and optical flow, including against adaptive attacks, demonstrating practical applicability. Overall, the method offers a universal, training-free defense that can be tuned for computational budget and scales across tasks and architectures.

Abstract

We propose a test-time defense mechanism against adversarial attacks: imperceptible image perturbations that significantly alter the predictions of a model. Unlike existing methods that rely on feature filtering or smoothing, which can lead to information loss, we propose to "combat noise with noise" by leveraging stochastic resonance to enhance robustness while minimizing information loss. Our approach introduces small translational perturbations to the input image, aligns the transformed feature embeddings, and aggregates them before mapping back to the original reference image. This can be expressed in a closed-form formula, which can be deployed on diverse existing network architectures without introducing additional network modules or fine-tuning for specific attack types. The resulting method is entirely training-free, architecture-agnostic, and attack-agnostic. Empirical results show state-of-the-art robustness on image classification and, for the first time, establish a generic test-time defense for dense prediction tasks, including stereo matching and optical flow, highlighting the method's versatility and practicality. Specifically, relative to clean (unperturbed) performance, our method recovers up to 68.1% of the accuracy loss on image classification, 71.9% on stereo matching, and 29.2% on optical flow under various types of adversarial attacks.

Figures (12)

• Figure 1: Defense against adversarial attacks via stochastic resonance. Neural networks are highly sensitive to small perturbations in the input space, which adversarial attacks exploit to manipulate network outputs. Conventional defense strategies primarily focus on filtering out unreliable features or denoising either the input or the features. Instead of removing noise, we propose a novel defense by introducing noise. Based on stochastic resonance, controlled transformations are introduced to the input. Features are then aggregated after inverting these transformations. The resulting method can be applied exclusively at inference time, requires no training, and is compatible with diverse network architectures. Notably, it not only improves robustness against adversarial attacks but also increases the difficulty of crafting successful adversarial examples, even when the attacker is fully aware of whether and how stochastic resonance is being used (i.e. adaptive attacks).
• Figure 2: Results on CIFAR-10 under varying levels of stochastic resonance. Increasing the stochastic resonance level consistently enhances robustness across all settings, yielding clear gains over the baseline method (FSR). Notably, our approach achieves superior performance even under adaptive adversarial attacks (Ours-WorstCase), despite the baseline being evaluated only in the non-adaptive case.
• Figure 3: Stereo matching robustness via stochastic resonance. We present visual results on stereo matching under various adversarial attack scenarios, including PGD and FGSM at different perturbation levels. These attacks significantly degrade the network's predictions, leading to substantial errors. By incorporating stochastic resonance, we demonstrate a significant reduction in prediction errors. This technique holds significant potential for improving robustness in safety-critical real-world applications, such as autonomous driving, where stereo vision must remain reliable under diverse environmental conditions and adversarial threats.
• Figure 4: Enhanced optical flow robustness with stochastic resonance. Under PGD and FGSM, stochastic resonance significantly reduces endpoint error in optical flow estimation. Notably, our method performs ensembling in the latent feature space rather than the output space, providing greater flexibility. While ensembling in the output space offers minor performance gains, our approach consistently achieves superior robustness across all levels of stochastic resonance.
• Figure 5: Optical flow robustness via stochastic resonance. Qualitative results (visualized with a color wheel) show that our method substantially mitigates the degradation caused by both PGD and FGSM attacks. This robustness is particularly relevant for visual perception systems that rely on accurate motion estimation.