Mammalian brains handle complex reasoning tasks in a gestalt manner by integrating information from regions of the brain that are specialised to individual sensory modalities. This allows for improved robustness and better generalisation ability. In contrast, deep neural networks are usually designed to process one particular information stream and susceptible to various types of adversarial perturbations. While many methods exist for detecting and defending against adversarial attacks, they do not generalise across a range of attacks and negatively affect performance on clean, unperturbed data. We developed a fusion model using a combination of background and foreground features extracted in parallel from Places-CNN and Imagenet-CNN. We tested the benefits of the fusion approach on preserving adversarial robustness for human perceivable (e.g., Gaussian blur) and network perceivable (e.g., gradient-based) attacks for CIFAR-10 and MS COCO data sets. For gradient based attacks, our results show that fusion allows for significant improvements in classification without decreasing performance on unperturbed data and without need to perform adversarial retraining. Our fused model revealed improvements for Gaussian blur type perturbations as well. The increase in performance from fusion approach depended on the variability of the image contexts; larger increases were seen for classes of images with larger differences in their contexts. We also demonstrate the effect of regularization to bias the classifier decision in the presence of a known adversary. We propose that this biologically inspired approach to integrate information across multiple modalities provides a new way to improve adversarial robustness that can be complementary to current state of the art approaches.

翻译：哺乳动物大脑通过整合来自大脑各个区域、专门针对单个感官模式的信息,以表面上的方式处理复杂的推理任务。这样可以提高稳健性和更好的概括性能力。相反,深神经网络的设计通常是为了处理某一特定信息流,容易发生各种对抗性扰动。虽然有许多方法可以探测和防范对抗性攻击,但它们没有在一系列攻击中进行概括化,对清洁、不受扰动的数据的性能产生了负面影响。我们开发了一个混合模型,结合了来自Place-CNN和图像网-CNN的平行背景和前景特征。我们测试了聚合方法在维护对准性(例如高斯语模糊)的对抗性动态强力方面的好处,并且容易受到各种对抗性干扰性干扰。对于基于梯度的攻击,我们的结果表明,我们所知道的对准性方法可以大大改进,而不会降低对不透度数据的性能和不需进行对抗性再培训。我们精细的组合式补充性方法在更大层次上展示了业绩的改进,在更深层次上也能够显示其稳定性的变异性。