Image Super-Resolution as a Defense Against Adversarial Attacks (1901.01677v2)

Abstract: Convolutional Neural Networks have achieved significant success across multiple computer vision tasks. However, they are vulnerable to carefully crafted, human-imperceptible adversarial noise patterns which constrain their deployment in critical security-sensitive systems. This paper proposes a computationally efficient image enhancement approach that provides a strong defense mechanism to effectively mitigate the effect of such adversarial perturbations. We show that deep image restoration networks learn mapping functions that can bring off-the-manifold adversarial samples onto the natural image manifold, thus restoring classification towards correct classes. A distinguishing feature of our approach is that, in addition to providing robustness against attacks, it simultaneously enhances image quality and retains models performance on clean images. Furthermore, the proposed method does not modify the classifier or requires a separate mechanism to detect adversarial images. The effectiveness of the scheme has been demonstrated through extensive experiments, where it has proven a strong defense in gray-box settings. The proposed scheme is simple and has the following advantages: (1) it does not require any model training or parameter optimization, (2) it complements other existing defense mechanisms, (3) it is agnostic to the attacked model and attack type and (4) it provides superior performance across all popular attack algorithms. Our codes are publicly available at https://github.com/aamir-mustafa/super-resolution-adversarial-defense.

Image Super-Resolution as a Defense Against Adversarial Attacks

The growing reliance on Convolutional Neural Networks (CNNs) in critical computer vision tasks has surfaced a significant vulnerability in the form of adversarial attacks. These attacks employ slight yet strategically computed perturbations to input images, which can lead CNN models to erroneous classifications. The paper "Image Super-Resolution as a Defense Against Adversarial Attacks" proposes a novel defense strategy based on image restoration via super-resolution, aiming to mitigate this vulnerability without compromising the performance on clean images.

Key Contributions

The paper establishes that deep image restoration networks, specifically through the super-resolution process, are capable of effectively mapping adversarial samples back to the natural image manifold. This process inherently enhances the image quality and simultaneously maintains the classifier's performance on clean images. The approach is noteworthy for its simplicity and robustness, offering several advantages:

1. Model and Attack Agnosticity: The method does not require modifications to the classifier and operates independently of the model architecture or the type of attack.
2. No Training Requirements: This defense mechanism does not necessitate any additional model training or parameter tuning.
3. Complementary Nature: It can augment existing defense strategies, providing an additional layer of security.
4. Computational Efficiency: The proposed scheme is computationally efficient, making it feasible for real-time application in security-sensitive systems.

Methodology

The research introduces a two-step image enhancement process to mitigate adversarial perturbations:

1. Wavelet Denoising: Initially, the adversarial image undergoes wavelet transformation to suppress high-frequency adversarial noise. This step employs soft-thresholding techniques such as BayesShrink to diligently process and retain essential image features while filtering out noise elements.
2. Image Super-Resolution (SR): Following denoising, the image is passed through a super-resolution model. This model, exemplified by the Enhanced Deep Super-Resolution (EDSR) network, employs residual learning to introduce additional high-frequency details. The super-resolution process selectively fortifies the pixel-level content in a manner that aligns the transformed images closer to the real image manifold, thus rectifying classification towards the correct labels.

Experimental Validation

Empirical analysis showcased the effectiveness of the proposed defense mechanism across various CNN architectures, including Inception v-3, ResNet-50, and Inception ResNet v-2, against several attack algorithms, such as FGSM, I-FGSM, DeepFool, and C&W attacks. Noteworthy findings include:

• A substantial recovery rate of correctly classified images post-defense application, demonstrating superiority over existing defenses such as JPEG compression and random resizing techniques.
• Minimal degradation in classification accuracy on clean images.
• Demonstrated resilience against state-of-the-art adversarial attacks, particularly in gray-box settings.

Implications and Future Research

The incorporation of super-resolution within a defense strategy addresses a critical need for robust, non-invasive countermeasures against adversarial perturbations. This defense mechanism's independence from specific model architectures positions it as a versatile tool for reinforcing security across diverse applications, including autonomous driving and medical diagnostics. The paper paves the way for future research into the integration of image restoration techniques with adaptive adversarial training, potentially enhancing the robustness of existing models under varying threat landscapes.

In conclusion, leveraging image super-resolution in defending against adversarial attacks presents an effective, computationally viable strategy that enhances the overall security framework of convolutional network-based systems, heralding a new avenue for exploration in adversarial machine learning.