Improving Resistance to Adversarial Deformations by Regularizing Gradients
This work addresses the security of deep models in realistic applications by focusing on adversarial deformations, an incremental improvement over existing defenses that primarily target intensity perturbations.
The paper tackles the problem of improving deep neural networks' resistance to adversarial deformations, a type of location perturbation often overlooked in defense methods, by proposing flow gradient regularization. The result shows that this method achieves better resistance than input gradient regularization and adversarial training across multiple datasets and architectures, with significant margins, and it also enhances performance against unseen attacks.
Improving the resistance of deep neural networks against adversarial attacks is important for deploying models to realistic applications. However, most defense methods are designed to defend against intensity perturbations and ignore location perturbations, which should be equally important for deep model security. In this paper, we focus on adversarial deformations, a typical class of location perturbations, and propose a flow gradient regularization to improve the resistance of models. Theoretically, we prove that, compared with input gradient regularization, regularizing flow gradients is able to get a tighter bound. Over multiple datasets, architectures, and adversarial deformations, our empirical results indicate that models trained with flow gradients can acquire a better resistance than trained with input gradients with a large margin, and also better than adversarial training. Moreover, compared with directly training with adversarial deformations, our method can achieve better results in unseen attacks, and combining these two methods can improve the resistance further.