Skip to content

Latest commit

 

History

History
51 lines (40 loc) · 3.33 KB

README.md

File metadata and controls

51 lines (40 loc) · 3.33 KB
Raw

Enhancing Intrinsic Adversarial Robustness via Feature Pyramid Decoder

This repo contains the code and data of the following paper:

Enhancing Intrinsic Adversarial Robustness via Feature Pyramid Decoder, Guanlin Li, Shuya Ding, Jun Luo, Chang Liu, CVPR2020 [pdf]

Overview

We propose an attack-agnostic defence framework to enhance the intrinsic robustness of neural networks, without jeopardizing the ability of generalizing clean samples. Our Feature Pyramid Decoder (FPD) framework applies to all block-based convolutional neural networks (CNNs). It implants denoising and image restoration modules into a targeted CNN, and it also constraints the Lipschitz constant of the classification layer.

Training Strategy

Implementation details of two-phase training strategy utilizing self-supervised and multi-task learning: the enhanced CNN FPD, in which FPD_R refers to the image restoration module; FPD_FD stands for the front denoising module; FPD_BD stands for the back denoising module; FPD_LCC refers to the modified classification layer; x_noisy are the samples in the ε-neighbourhood of each image. The first phase training is optimized by L_2(x_clean,x_clean') loss. If L_2 loss >T, only the parameters of FPD_R and FPD_FD is updated. Once the L_2 loss reaches the T, the cross-entropy (CE) loss with L_2 loss jointly trains the enhanced CNN. Then, the second phase train the enhanced CNN further, jointly optimized by CE loss and L_2 loss.

Dataset

  • The MNIST and SVHN can be downloaded by torchvision.datasets
  • The CALTECH-101 and CALTECH-256 can be downloaded from here and here, respectively.

Prerequisites

Pre-trained Models

We upload all models we trained. You can download them freely from here.

Usage

  • early_stop.py: Early stop to avoid overfitting.
  • resnet.py: In every folder, we upload the enhanced network based on different backbone models.
  • train.py: Two-phase training strategy to train our enhanced models.
  • adv_train.py: To have better results, we introduce adversarial training after two-phase training.
  • models.py: For black-box attack, using as the attacking reference.
  • whitebox_and_black.py: Attack models via various methods on different datasets.

Citing

If you find it useful for your research, please consider citing the following reference paper:

@InProceedings{Li_2020_CVPR,
author = {Li, Guanlin and Ding, Shuya and Luo, Jun and Liu, Chang},
title = {Enhancing Intrinsic Adversarial Robustness via Feature Pyramid Decoder},
booktitle = {The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)},
month = {June},
year = {2020}
}