Encryption Inspired Adversarial Defense for Visual Classification
This addresses the issue of reduced accuracy in conventional adversarial defenses for machine learning practitioners, though it appears incremental as it builds on existing encryption methods.
The paper tackles the problem of adversarial attacks in visual classification by proposing a defensive transform inspired by perceptual image encryption, achieving 91.55% accuracy on clean images and 89.66% on adversarial examples with noise distance 8/255 on CIFAR-10.
Conventional adversarial defenses reduce classification accuracy whether or not a model is under attacks. Moreover, most of image processing based defenses are defeated due to the problem of obfuscated gradients. In this paper, we propose a new adversarial defense which is a defensive transform for both training and test images inspired by perceptual image encryption methods. The proposed method utilizes a block-wise pixel shuffling method with a secret key. The experiments are carried out on both adaptive and non-adaptive maximum-norm bounded white-box attacks while considering obfuscated gradients. The results show that the proposed defense achieves high accuracy (91.55 %) on clean images and (89.66 %) on adversarial examples with noise distance of 8/255 on CIFAR-10 dataset. Thus, the proposed defense outperforms state-of-the-art adversarial defenses including latent adversarial training, adversarial training and thermometer encoding.