Skip to Main content Skip to Navigation
Conference papers

Patch Replacement: A Transformation-based Method to Improve Robustness against Adversarial Attacks

Hanwei Zhang 1 Yannis Avrithis 1 Teddy Furon 1 Laurent Amsaleg 1 
1 LinkMedia - Creating and exploiting explicit links between multimedia fragments
Inria Rennes – Bretagne Atlantique , IRISA-D6 - MEDIA ET INTERACTIONS
Abstract : Deep Neural Networks (DNNs) are robust against intra-class variability of images, pose variations and random noise, but vulnerable to imperceptible adversarial perturbations that are well-crafted precisely to mislead. While random noise even of relatively large magnitude can hardly affect predictions, adversarial perturbations of very small magnitude can make a classifier fail completely. To enhance robustness, we introduce a new adversarial defense called patch replacement, which transforms both the input images and their intermediate features at early layers to make adversarial perturbations behave similarly to random noise. We decompose images/features into small patches and quantize them according to a codebook learned from legitimate training images. This maintains the semantic information of legitimate images, while removing as much as possible the effect of adversarial perturbations. Experiments show that patch replacement improves robustness against both white-box and gray-box attacks, compared with other transformation-based defenses. It has a low computational cost since it does not need training or fine-tuning the network. Importantly, in the white-box scenario, it increases the robustness, while other transformation-based defenses do not.
Document type :
Conference papers
Complete list of metadata

https://hal.archives-ouvertes.fr/hal-03363999
Contributor : Teddy Furon Connect in order to contact the contributor
Submitted on : Monday, October 4, 2021 - 3:22:52 PM
Last modification on : Saturday, August 6, 2022 - 3:33:00 AM
Long-term archiving on: : Wednesday, January 5, 2022 - 6:29:13 PM

File

workshop.pdf
Files produced by the author(s)

Identifiers

Citation

Hanwei Zhang, Yannis Avrithis, Teddy Furon, Laurent Amsaleg. Patch Replacement: A Transformation-based Method to Improve Robustness against Adversarial Attacks. Trustworthy AI 2021 - 1st International Workshop on Trustworthy AI for Multimedia Computing, Oct 2021, Virtual, China. pp.1-10, ⟨10.1145/3475731.3484955⟩. ⟨hal-03363999⟩

Share

Metrics

Record views

51

Files downloads

68