VectorDefense: Vectorization as a Defense to Adversarial Examples

Vishaal Munusamy Kabilan
Vishaal Munusamy Kabilan
Brandon Morris
Brandon Morris

arXiv: Computer Vision and Pattern Recognition, Volume abs/1804.08529, 2018.

Cited by: 1|Bibtex|Views4|Links
iterative fast gradient sign methodCarlini and Wagnerinterpretable elementmachine learningGenerative Adversarial NetworksMore(7+)
We evaluate VectorDefense as an input transformation layer to help a state-of-the-art Deep neural networks classifier trained on MNIST correctly classify adversarial examples created by 6 state-of-theart gradient-based attack methods: I-fast gradient sign method, Carlini and Wagn...


Training deep neural networks on images represented as grids of pixels has brought to light an interesting phenomenon known as adversarial examples. Inspired by how humans reconstruct abstract concepts, we attempt to codify the input bitmap image into a set of compact, interpretable elements to avoid being fooled by the adversarial struct...More



  • Deep neural networks (DNNs) have been shown to be extremely vulnerable to adversarial examples (AXs)—the inputs optimized to fool them [38, 27].
  • We show that VectorDefense is a viable input transformation defense to the problem of AXs. We validate our hypothesis on (1) classifiers trained on MNIST [20]; (2) across 6 state-of-the-art attack methods; and (3) under both white- and gray-box threat models (Sec. 4.2).
  • 2. We compare and show that VectorDefense performs competitively with state-of-the-art hand-designed input transformation methods including bit-depth reduction [42] and image quilting [12] (Sec. 4.2).
  • 4. We compare and contrast VectorDefense with Defense-GAN [32], a state-of-the-art input transformation method with a learned prior.
  • We directly compare VectorDefense with a state-of-the-art method called Defense-GAN [32], which harnesses a GAN [10] to purify AXs. Basically, the idea is similar to conditional iterative image generation techniques [25, 26, 44].
  • This work explores a novel, intuitive method that translates an input image into contours and other simple geometric shapes in an attempt to purify AXs. We view VectorDefense as a stepping stone towards decomposing images into compact, interpretable elements to solve the adversarial problem.
  • We evaluate VectorDefense as an input transformation layer to help a state-of-the-art DNN classifier trained on MNIST correctly classify AXs created by 6 state-of-theart gradient-based attack methods: I-FGSM, C&W L2, PGD, DeepFool, JSMA and C&W L0.
  • We compare VectorDefense against two hand-designed input transformation methods: image quilting [12], and bitdepth reduction [42] because of the following reasons.
  • For C&W L0 and JSMA attacks, VectorDefense substantially outperformed existing hand-designed transformation methods (Table 1h).
  • The despeckling process is hypothesized to help VectorDefense remove adversarial perturbations more explicitly and effectively than bit-depth reduction and quilting (Fig. 5).
  • C&W L0 Results Under budget-aware C&W L0 attack, VectorDefense performs to the existing handdesigned input transformations across increasing budget settings (Fig. 7b).
  • This makes it easier for all hand-designed methods to recover from, leading to (1) the increasing accuracy scores as the budget increases (Fig. 7b); and (2) similar performances across VectorDefense, bit-depth reduction and image quilting (Fig. 7b).
  • BPDA has access to a black-box input transformation method and uses it to approximate the gradient to compute AXs. We compare results of running BDPA to attack the target DNN with no defense vs with VectorDefense under the same experimental setup.
  • We present VectorDefense—a novel defense to AXs that transforms a bitmap input image into the space of vector (a) Budget-aware JSMA Attack (b) Budget-aware C&W L0 Attack graphics and back, prior to classification.
  • VectorDefense and other hand-designed input transformation methods underperformed Defense-GAN, a method with a strong, learned prior.
Your rating :