Deep neural networks recognize objects by analyzing local image details and summarizing their information along the inference layers to derive the final decision. Because of this, they are prone to adversarial attacks. Small sophisticated noise in the input images can accumulate along the network inference path and produce wrong decisions at the network output. On the other hand, human eyes recognize objects based on their global structure and semantic cues, instead of local image textures. Because of this, human eyes can still clearly recognize objects from images which have been heavily damaged by adversarial attacks. This leads to a very interesting approach for defending deep neural networks against adversarial attacks. In this work, we propose to develop a structure-preserving progressive low-rank image completion (SPLIC) method to remove unneeded texture details from the input images and shift the bias of deep neural networks towards global object structures and semantic cues. We formulate the problem into a low-rank matrix completion problem with progressively smoothed rank functions to avoid local minimums during the optimization process. Our experimental results demonstrate that the proposed method is able to successfully remove the insignificant local image details while preserving important global object structures. On black-box, gray-box, and white-box attacks, our method outperforms existing defense methods (by up to 12.6%) and significantly improves the adversarial robustness of the network.

中文翻译：

---

保卫渐进式低阶图像完成防御对抗攻击

深度神经网络通过分析局部图像细节并沿推理层汇总其信息来得出最终决策，从而识别出对象。因此，他们容易受到对抗攻击。输入图像中的少量复杂噪声会沿着网络推理路径累积，并在网络输出端产生错误的决策。另一方面，人眼根据对象的全局结构和语义提示而不是局部图像纹理来识别对象。因此，人眼仍然可以从图像中清楚地识别出物体，这些图像已受到对抗性攻击的严重破坏。这导致了一种非常有趣的方法来防御深度神经网络免受对抗性攻击。在这项工作中，我们建议开发一种保留结构的渐进低阶图像完成（SPLIC）方法，以从输入图像中删除不需要的纹理细节，并将深层神经网络的偏向转向全局对象结构和语义线索。我们将该问题公式化为具有逐步平滑的秩函数的低秩矩阵完成问题，以避免在优化过程中出现局部最小值。我们的实验结果表明，所提出的方法能够成功删除不重要的局部图像细节，同时保留重要的全局对象结构。在黑盒，灰盒和白盒攻击中，我们的方法优于现有防御方法（最多提高12.6％），并显着提高了网络的对抗性。