基于空间变换网络的对抗样本防御方法

In recent years, deep neural networks (DNNs) have achieved high accuracy in image recognition tasks. However, they have been demonstrated to be vulnerable to adversarial examples. This work proposes a spatial transformation defense method to defend adversarial examples. The method is to add spatial transformer networks (STNs) before the classification model. The STNs utilize the attention mechanism to extract the area of interest of the classification model and transform it to another vector space. Spatial transformation maintains the basic structure information of the original images while mitigates the effect of adversarial perturbations. The experiments prove that the proposed spatial transformation method is effective at defending against both single-step and iterative attacks. Combining the proposed method with an adversarially trained model achieves better defense effect against single-step attacks, while combining the proposed method with the randomization defense method achieves better defense effect under completely white box scenario.