Robust feature learning for adversarial defense via hierarchical feature alignment

Deep neural networks have demonstrated excellent performance in most computer vision tasks in recent years. However, they are vulnerable to adversarial perturbations generated by adversarial attacks. These human-imperceptible perturbations often lead to severe distortion in the high-dimensional intermediate feature space, which is one of the major reasons for the vulnerabilities in deep neural networks. Therefore, input images with perturbations can completely change the predictions of the networks in the decision space. To overcome this drawback, we propose to progressively align the intermediate feature representations extracted from the adversarial domain with feature representations extracted from a clean domain through domain adaptation. The difference between two feature distributions can be accurately measured via an optimal transport-based Wasserstein distance. Thus, the deep networks are forced to learn robust and domain-invariant feature representations, so that the gap between the different domains is minimized and that the networks are no longer easily fooled by diverse adversaries. Extensive evaluations are conducted on four classification benchmark datasets in white-box attack scenarios. The evaluation results demonstrate a significant performance improvement over several state-of-the-art defense methods. (C) 2020 Elsevier Inc. All rights reserved.