Adversarial purification using random encoding networks

Deep neural networks (DNNs) have revealed vulnerabilities to adversarial examples, which can deceive models with high confidence. This has given rise to serious threats in security-critical domains. Adversarial defense methods have been extensively studied to counter adversarial attacks. Adversarial purification, as a major defense strategy, attempts to recover adversarial examples to clean counterparts by filtering out perturbations. However, many purification defenses struggle against white-box attacks where the target and defense models are known. Additionally, the training processes against specific attacks can compromise models’ adaptability to unknown attacks, and purification operations may destroy key features of inputs. In this paper, we propose the random encoding network (REN), which consists of a random encoding denoiser and a diverse classifier to enhance the robustness of adversarial purification defense models. The internal part of the denoiser leverages adversarial sparse coding to purify examples by filtering out perturbations and noise as much as possible while preserving critical features of inputs. The external part of the denoiser employs a dynamic random mechanism to implement random encoding, thereby enhancing the models’ uncertainty. Moreover, the classifier is subjected to a diversity constraint to promote variation among random sub-models. Experimental results demonstrate that REN exhibits strong defensive generalization capabilities, effectively countering adversarial examples across diverse attack types and settings. For the CIFAR-10 and SVHN datasets, the clean-trained REN achieves average adversarial accuracies of 63.26% and 59.78% against white-box attacks, while the adversarial-trained REN achieves 68.27% and 72.39%, respectively. When faced with unknown attack scenarios, REN is more effective than state-of-the-art defense methods.