Towards Robust Image Classification Using Sequential Attention Models
This work addresses robustness issues in image classification for AI safety, representing an incremental advance by combining attention mechanisms with adversarial training.
The paper tackles improving adversarial robustness in image classification by integrating a human-inspired sequential attention model into a neural network, achieving state-of-the-art ImageNet accuracies under various targeted attacks and showing that adversarial examples from this model contain globally coherent structures that distract attention.
In this paper we propose to augment a modern neural-network architecture with an attention model inspired by human perception. Specifically, we adversarially train and analyze a neural model incorporating a human inspired, visual attention component that is guided by a recurrent top-down sequential process. Our experimental evaluation uncovers several notable findings about the robustness and behavior of this new model. First, introducing attention to the model significantly improves adversarial robustness resulting in state-of-the-art ImageNet accuracies under a wide range of random targeted attack strengths. Second, we show that by varying the number of attention steps (glances/fixations) for which the model is unrolled, we are able to make its defense capabilities stronger, even in light of stronger attacks --- resulting in a "computational race" between the attacker and the defender. Finally, we show that some of the adversarial examples generated by attacking our model are quite different from conventional adversarial examples --- they contain global, salient and spatially coherent structures coming from the target class that would be recognizable even to a human, and work by distracting the attention of the model away from the main object in the original image.