Figure 1: The idea of high-level representation guided denoiser. The difference between the original image and adversarial image is tiny, but the difference is amplified in high-level representation (logits for example) of a CNN. We use the distance over high-level representations to guide the training of an image denoiser to suppress the influence of adversarial perturbation.
Figure 3: The detail of DUNET. The numbers inside each cube stand for width × height, and the number outside the cube stands for the number of channels. In all the C3 of the feedforward path, the stride of the first C is 2 × 2.
Figure 4: Three different training methods for HGD. The square boxes stand for data blobs, the circles and ovals stand for networks. D stands for denoiser. CNN is the model to be defended. The parameters of the CNN are shared and fixed.
のレイヤーを用いて特徴マップの差分を損失として用いるfeature guided denoiser (FGD)
のレイヤーを用いてモデルの分類結果の差分を損失として用いるlogits guided denoiser (LGD)
