Edge enhancement improves adversarial robustness in image classification

L He, Q Ai, Y Lei, L Pan, Y Ren, Z Xu - Neurocomputing, 2023 - Elsevier
L He, Q Ai, Y Lei, L Pan, Y Ren, Z Xu
Neurocomputing, 2023Elsevier
Imperceptible adversarial examples are capable of deceiving the deep neural networks with
high confidence. Recent studies show that it is particularly effective to control the attack
space to low-frequency components of the image on the basis of adversarial training.
However, those methods face the problem of losing valuable knowledge, especially shape
information, which is vital for classification and robustness. To alleviate this issue, we
propose a new method based on edge detection, named Edge Enhancement (EE), which …
Abstract
Imperceptible adversarial examples are capable of deceiving the deep neural networks with high confidence. Recent studies show that it is particularly effective to control the attack space to low-frequency components of the image on the basis of adversarial training. However, those methods face the problem of losing valuable knowledge, especially shape information, which is vital for classification and robustness. To alleviate this issue, we propose a new method based on edge detection, named Edge Enhancement (EE), which can explicitly make up for the missing shape information in frequency constraints and further enhance the adversarial robustness. Specifically, we first employ a traditional edge detection algorithm called Canny to obtain shape information due to its simplicity and intrinsic robustness. Then, we augment the low-frequency space via obtained shape features, with the weighting operation carried on. This operation can be regarded as an emphasis on shape information, which could mitigate the texture bias of deep neural networks, thereby further serving the robustness. Finally, we feed the augmented features into the deep neural network. It is worth noting that these modules are optimized along with the deep neural network, which enables an end-to-end training fashion. Experimental results show that our proposed model can significantly improve adversarial robustness over the state-of-the-art methods on three benchmark datasets, including MNIST, Tiny ImageNet, and particularly ImageNet. For example, our method achieves 51.66% accuracy on ImageNet under 10-iteration targeted PGD white-box attack where the prior art has 36.94% accuracy. Code is available at https://github.com/Aiqz/Edge-Enhancement.
Elsevier
以上显示的是最相近的搜索结果。 查看全部搜索结果