Exploring Adversarial Attacks and Defenses in Vision Transformers trained with DINO
It addresses adversarial robustness in self-supervised vision models, which is an incremental contribution to security in computer vision.
This paper analyzes the robustness of self-supervised Vision Transformers trained with DINO against adversarial attacks, finding that self-supervised features are more robust than supervised ones and evaluating three defense strategies for improving robustness in downstream tasks with limited compute.
This work conducts the first analysis on the robustness against adversarial attacks on self-supervised Vision Transformers trained using DINO. First, we evaluate whether features learned through self-supervision are more robust to adversarial attacks than those emerging from supervised learning. Then, we present properties arising for attacks in the latent space. Finally, we evaluate whether three well-known defense strategies can increase adversarial robustness in downstream tasks by only fine-tuning the classification head to provide robustness even in view of limited compute resources. These defense strategies are: Adversarial Training, Ensemble Adversarial Training and Ensemble of Specialized Networks.