Squeeze And Reconstruct: Improved Practical Adversarial Defense Using Paired Image Compression And Reconstruction

As shown in the previous literature, non-robust features of an image such as texture are both the secrets why deep neural networks achieve outstanding classification performance and the sources of adversarial examples. Image compression methods such as JPEG can be used to effectively defend against diverse adversarial attacks by eliminating these non-robust features in the pre-processing stage while significantly sacrificing clean accuracy. To address this issue, we present a squeeze-and-reconstruct framework which first performs image compression followed by image reconstruction to recover necessary details for the improved clean and robust accuracies. With extensive experiments on the challenging ImageNet dataset, the evaluation results demonstrate the effectiveness of the proposed method to defend against the Fast Gradient Sign Method and the powerful Projected Gradient Descent attacks in the white-box scenarios. In addition, the proposed approach also outperforms other common and off-the-shelf defense models in terms of both clean and robust accuracies.