Abstract
Although convolutional neural networks (CNNs) have advanced to demonstrate superior performance in image classification tasks that often surpass human capability, the feature space of CNNs, which are trained using a typical training method, is limited by the smaller-than-expected inter-class variances. Consequently, CNNs are prone to misclassifying adversarial examples with high confidence, and the difference between an adversarial example and a normal input is indistinguishable by human beings. To alleviate this problem, we propose a training methodology that defends against adversarial attacks through a constraint that applies a class-specific differentiation to the feature space of CNNs. The proposed methodology first forces the feature representations that corresponding to each class to be localized on the hypersphere surface with a particular radius. The forced representation is then trained to be located as close to the center of the hypersphere as possible, resulting in feature representations with a small intra-class variance and large inter-class variances. The experimental results reveal that the proposed two-step training method enhances defense performance by 17.1%p and demonstrates a training speed of up to 30 times faster than the existing distance-based adversarial defense methodology. The code is available at: https://github.com/lepoeme20/cost-free-adversarial-defense
Original language | English |
---|---|
Article number | 103599 |
Journal | Computer Vision and Image Understanding |
Volume | 227 |
DOIs | |
Publication status | Published - 2023 Jan |
Bibliographical note
Funding Information:This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (NRF-2022R1A2C2005455). This work was also supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2021-0-00471, Development of Autonomous Control Technology for Error-Free Information Infrastructure Based on Modeling & Optimization).
Publisher Copyright:
© 2022 Elsevier Inc.
Keywords
- Adversarial defense
- Adversarial robustness
- Distance-based defense
- White-box attack
ASJC Scopus subject areas
- Software
- Signal Processing
- Computer Vision and Pattern Recognition