Existing defenses against adversarial attacks are typically tailored to a specific perturbation type. Using adversarial training to defend against multiple types of perturbation requires expensive adversarial examples from different perturbation types at each training step. In contrast, manifold-based defense incorporates a generative network to project an input sample onto the clean data manifold. This approach eliminates the need to generate expensive adversarial examples while achieving robustness against multiple perturbation types. However, the success of this approach relies on whether the generative network can capture the complete clean data manifold, which remains an open problem for complex input domain. In this work, we devise an approximate manifold defense mechanism, called RBF-CNN, for image classification. Instead of capturing the complete data manifold, we use an RBF layer to learn the density of small image patches. RBF-CNN also utilizes a reconstruction layer that mitigates any minor adversarial perturbations. Further, incorporating our proposed reconstruction process for training improves the adversarial robustness of our RBF-CNN models. Experiment results on MNIST and CIFAR-10 datasets indicate that RBF-CNN offers robustness for multiple perturbations without the need for expensive adversarial training.

翻译：现有的对抗性攻击防御通常是针对特定的扰动类型而设计的。使用对抗性训练来防御多种类型的扰动性攻击,需要在每个培训步骤中从不同的扰动类型中提供昂贵的对抗性例子。相反,多重防御包含一个基因网络,将输入样本投射到清洁数据中。这种方法消除了产生昂贵的对抗性例子的需要,同时针对多重扰动类型实现强力。然而,这一方法的成功取决于基因网络能否捕捉完整的清洁数据元件,这仍然是复杂的输入领域的一个开放问题。在这项工作中,我们设计了一个大约的多式防御机制,称为RBF-CNN,用于图像分类。我们使用一个复式防御系统,而不是收集完整的数据元件,来学习小图象的密度。RBF-CNN还利用一个重建层来减轻任何轻微的对抗性攻击性攻击性攻击性攻击。此外,我们拟议的培训重建过程将改进我们的RBF-CN模型的对抗性可靠性。MNIST和CIFAR-10数据集的实验结果表明,RFFF-对抗性N在不需多次进行高价的训练的情况下,对多式CN进行可靠的训练。