Transferable Adversarial Defense by Fusing Reconstruction Learning and Denoising Learning

Abstract

Deep neural networks have been demonstrated fragile to adversarial examples. Some powerful defense methods have been proposed. However, these methods usually involve modification in the process of model training, which often require more computational complexity. In this paper, we propose a novel defense method that can be directly applied to unmodified off-the-shelf models. Our method adopts standard denoiser to maintain the original features. But standard denoiser cannot remove adversarial perturbations effectively, which will be progressively amplified by classifier and lead to incorrect classification. Therefore, we add a denoising module into our method, in which the magnified adversarial perturbations are used to guide our approach’s training. The proposed method effectively removes adversarial perturbations while maintaining the original characteristics. Consequently, our method has good transferability, it can be reused easily to protect different models after once training. Extensive experiments show that our method has outstanding performances against both white-box and black-box attacks. Especially in protecting different models, our method outperforms the state-of-the-art defenses by a big margin.