Adversarial Defense via Data Dependent Activation Function and Total Variation Minimization
This addresses the critical security problem of adversarial vulnerability in deep learning models for applications requiring reliable predictions.
The paper tackles improving deep neural network robustness to adversarial attacks by using a data-dependent activation function, which increased robust accuracy from ~46% to ~69% on CIFAR10 with ResNet20 under IFGSM attacks, and combining it with total variation minimization and data augmentation achieved a 38.9% improvement for ResNet56.
We improve the robustness of Deep Neural Net (DNN) to adversarial attacks by using an interpolating function as the output activation. This data-dependent activation remarkably improves both the generalization and robustness of DNN. In the CIFAR10 benchmark, we raise the robust accuracy of the adversarially trained ResNet20 from $\sim 46\%$ to $\sim 69\%$ under the state-of-the-art Iterative Fast Gradient Sign Method (IFGSM) based adversarial attack. When we combine this data-dependent activation with total variation minimization on adversarial images and training data augmentation, we achieve an improvement in robust accuracy by 38.9$\%$ for ResNet56 under the strongest IFGSM attack. Furthermore, We provide an intuitive explanation of our defense by analyzing the geometry of the feature space.