Anchor-guided feature refinement for adversarial robustness and out-of-distribution detection

Abstract

Deep neural networks (DNNs) are currently performing well in computer vision. Given that applications applying DNNs are utilized by a broad spectrum of users in real-world settings, variety of input data is also extensive. However, recent research has shown that DNNs are highly vulnerable to certain types of input data. Adversarial attack is one type of input data that causes DNNs to malfunction, causing imperceptible changes in the input data that lead to significant differences from human perception. A malicious attacker can easily provoke DNNs to make incorrect outcomes, compromising the reliability of the application. In another case, Out-of-Distribution (OOD) occurs when DNNs receive inputs that do not follow same probability distribution as training data. While DNNs should ideally express uncertainty when faced with unsuitable input data (OOD), they often produce incorrect results with a high level of confidence in practice. Therefore, these types of inputs contribute to the unreliability of DNNs, limiting their application in real-world environments. In this work, we propose frameworks to achieve robustness against adversarial attacks and OOD data through anchor-guided feature refinement. First, for adversarial attacks, the proposed anchors help adversarial training to separate normal and adversarial examples and acquire appropriate statistical characteristics for each. Even if an adversarial user attacks the DNNs, the anchor guides correct statistical processing to refine feature of adversarial example to achieve high performance. Second, Anchor provides a threshold to distinguish between OOD inputs. With the help of visual prompts, the anchor serves as a reference point to refine pre-trained model features for effective OOD detection. At inference time, the anchor is transformed into OOD scores, which are then utilized to establish thresholds for OOD detection. The effectiveness of the proposed method is validated through performance comparisons with state-of-the-art methods, and extensive qualitative and quantitative experiments were also conducted.