SCADefender: An Autoencoder-Based Defense for CNN-Based Image Classifiers

Abstract

Convolutional neural networks (CNNs) have been enormously successful in a variety of image recognition tasks. Robustness is an important metric to evaluate the quality of CNNs. However, recent research shows that CNNs are particularly vulnerable to adversarial attacks. This paper proposes an adversarial defense method to increase the robustness of CNNs, namely, SCADefender. The proposed method trains a reformer on adversarial examples and the training set of a target classifier. The architecture of the reformer is stacked convolutional autoencoder. The adversarial examples are generated by using various adversarial attacks such as untargeted FGSM, untargeted CW [Formula: see text] and untargeted BIS. Given an input image, the trained reformer could remove the adversarial perturbations with a low computational cost. To demonstrate the effectiveness, the proposed method is compared with PuVAE, MagNet, and adversarial training on three well-known datasets including MNIST, Fashion-MNIST, and CIFAR-10. In terms of the average detection rate, the proposed method outperforms other methods. While the proposed method achieves an average detection rate of 97.78% for MNIST, 90.43% for Fashion-MNIST, and 80.64% for CIFAR-10, the comparable methods achieve only 23.69- 86.18% for MNIST, 63.90-79.70% for Fashion-MNIST, and 25.55-77.36% for CIFAR-10.