如何防御对抗攻击：合集生成式清洗与反馈环路（CS CV）---刘持诚

深度神经网络关于对抗攻击的有效防御仍然是一个有挑战性的问题，尤其是在强大的白盒攻击下。在这篇文章中，我们开发了一种新的方法，叫做合集生成式清洗与反馈环路（EGC-FL），用于深度神经网络的有效防御。我们提出的 EGC-FL 方法基于两个核心思想。首先，我们在防御网络中引入一个变换的死区层，由正态变换和基于死区的激活函数组成，以破坏对抗攻击的复杂噪声模式。其次，通过构建一个具有反馈循环的生成式清洗网络，我们能够生成一个对原始清洗图像进行多样化估计的集合。然后，我们训练一个网络，将这组不同的估计融合在一起，以恢复原始图像。我们的大量实验结果表明，我们的方法在白盒和黑盒攻击中都有很大的进步。在 SVHN 数据集上，它比第二好的方法显著提高了分类准确率，在白盒 PGD 攻击上超过29%，在具有挑战性的 CIFAR-10 数据集上超过39%。

原文题目：Ensemble Generative Cleaning with Feedback Loops for Defending Adversarial Attacks

原文：Effective defense of deep neural networks against adversarial attacks remains a challenging problem, especially under powerful white-box attacks. In this paper, we develop a new method called ensemble generative cleaning with feedback loops (EGC-FL) for effective defense of deep neural networks. The proposed EGC-FL method is based on two central ideas. First, we introduce a transformed deadzone layer into the defense network, which consists of an orthonormal transform and a deadzone-based activation function, to destroy the sophisticated noise pattern of adversarial attacks. Second, by constructing a generative cleaning network with a feedback loop, we are able to generate an ensemble of diverse estimations of the original clean image. We then learn a network to fuse this set of diverse estimations together to restore the original image. Our extensive experimental results demonstrate that our approach improves the state-of-art by large margins in both white-box and black-box attacks. It significantly improves the classification accuracy for white-box PGD attacks upon the second best method by more than 29% on the SVHN dataset and more than 39% on the challenging CIFAR-10 dataset.

原文作者：Jianhe Yuan, Zhihai He

原文地址：https://arxiv.org/abs/2004.11273