APR-Net: Defense Against Adversarial Examples Based on Universal Adversarial Perturbation Removal Network

Abstract

Adversarial attack, a bleeding-edge technique that attempts to fool deep learning classification model by generating adversarial examples with imperceptible perturbations, is becoming a growing threat in artificial intelligence fields. Preprocessing models that remove perturbations are an effective approach for enhancing the robustness of classification models. However, most existing methods overlook a critical issue: although powerful preprocessing operations can remove adversarial perturbations, they may also weaken the representation of key features in the image, leading to decreased defense performance. To address this, we propose a novel universal defense model, APR-Net, which aims to remove adversarial perturbations while effectively preserving high-quality images. The key innovation of APR-Net lies in its dual-module design, which consists of a denoising module and an image restoration module. This design not only effectively eliminates imperceptible adversarial perturbations but also ensures the restoration of high-quality images. Unlike existing methods, APR-Net does not require modifications to the classifier architecture or specialized adversarial training, making it highly versatile. Extensive experiments on the ImageNet dataset demonstrate that APR-Net provides strong defense against various adversarial attack algorithms, significantly improves image quality, and outperforms other state-of-the-art defense methods in terms of overall performance.