Defending against Adversarial Images using Basis Functions Transformations
This work addresses security vulnerabilities in image recognition systems for AI practitioners, but it is incremental as it evaluates existing defenses and proposes a specific attack variant.
The paper tackles the problem of defending deep networks against adversarial attacks by testing basis function transformations like JPEG compression and soft-thresholding, finding that JPEG compression generally outperforms others with minimal accuracy loss on benign examples, and also introduces a novel white-box attack based on basis function subsets.
We study the effectiveness of various approaches that defend against adversarial attacks on deep networks via manipulations based on basis function representations of images. Specifically, we experiment with low-pass filtering, PCA, JPEG compression, low resolution wavelet approximation, and soft-thresholding. We evaluate these defense techniques using three types of popular attacks in black, gray and white-box settings. Our results show JPEG compression tends to outperform the other tested defenses in most of the settings considered, in addition to soft-thresholding, which performs well in specific cases, and yields a more mild decrease in accuracy on benign examples. In addition, we also mathematically derive a novel white-box attack in which the adversarial perturbation is composed only of terms corresponding a to pre-determined subset of the basis functions, of which a "low frequency attack" is a special case.