Randomized Purifier Based on Low Adversarial Transferability for Adversarial Defense

Abstract

Read online

Deep neural networks are generally very vulnerable to adversarial attacks. In order to defend against adversarial attacks in classifiers, Adversarial Purification (AP) was developed to neutralize adversarial perturbations using a generative model at the input stage. AP has an advantage in that it can defend against various attacks without the additional training of a classifier. Recently, AP techniques using energy-based models or diffusion models have achieved meaningful robustness with a randomized defense based on a stochastic process. However, since they require a great number of diffusion steps or sampling steps in purifying attacked images, their computational cost is burdensome. To significantly reduce the computational cost while maintaining the performance of the randomized defense of AP, this paper proposes a novel randomized generative model called Randomized Purifier Based on Low Adversarial Transferability (RP-LAT). First, in order to select the components to be useful for randomization, we analyze the adversarial transferability according to the model components from the AP point of view. Then, based on this analysis, we replace the existing layers with a combination of components with low transferability, and randomly select the components of each layer during the forward pass. Experimental results prove that RP-LAT is computationally efficient and achieves state-of-the-art performance in terms of robustness against various types of attacks.

Keywords

• Adversarial attack
• adversarial defense
• computer vision
• deep learning
• image classification
• security