SFM-Defence: Filtering Adversarial Perturbation by Sparse Feature Masker

Among the researches on the security problem of adversarial examples, it is an important way to prevent adversarial examples by inhibiting the impact of adversarial perturbation. However, those existing defense methods based on image pre-processing or image reconstruction cannot achieve a satisfactory balance in terms of time complexity and defense effect. In order to solve this problem, we first qualitatively analyze the rea-sons why the defense methods based on succinct image pre-processing cannot achieve good performance. On this basis, an adversarial examples defense method based on non-robust feature inhibition combined with traditional image pre-processing methods is proposed in this paper, which is called SFM-Defense. It can eliminate redundant semantic information by training a sparse feature masker, so as to compress the features that can be used for attacks. The experimental results on CIFAR10, SVHN and Tiny-ImageNet show that the proposed method can achieve competitive defense performance with the existing SOTA method on the black box threat model, which can surpass the existing methods.