Patch Selection Denoiser: An Effective Approach Defending Against One-Pixel Attacks

Abstract

A one-pixel attack applies maliciously crafted and imperceptible perturbations on just one pixel or a few pixels in an image and can mislead a target deep learning classification model. Defending against this type of attack is a relatively unexplored development in adversarial defence. In this paper, we propose a Patch Selection Denoiser (PSD) approach that removes the few potential attacking pixels in local patches without changing many pixels in a whole image. Without clean training data, it can firstly add random impulse noises to a few images to produce huge amounts of noisy images as inputs and targets in a deep residual network. Next, we can obtain a denoising model based on the Noise2Noise framework. Finally, we design a patch selection algorithm to scan a denoised image in a patch window and compare it with the corresponding part on the test image. Only the patch whose number of pixels with significant absolute difference exceeds a threshold will be detected as the local part containing potential attacking pixels. Thus, this patch will be replaced by the part in the denoised image. Evaluating our approach on a public image dataset CIFAR-10 demonstrates that it can successfully defend against one-, three-, five-pixel and JSMA attacks 98.6%, 98.0%, 97.8% and 98.9% of the time, respectively. Meanwhile, it brings almost no side effects on clean images not subject to one-pixel attacks. The state-of-the-art high defence accuracy proves the effectiveness of our approach.