Joint contrastive learning and frequency domain defense against adversarial examples

Deep neural networks (DNNs) are vulnerable to being attacked by adversarial examples, leading to DNN misclassification. Perturbations in adversarial examples usually exist in the form of noise. In this paper, we proposed a lightweight joint contrastive learning and frequency domain denoising network (CFNet), which can effectively remove adversarial perturbations from adversarial examples. First, CFNet separates the channels of the features obtained by the multilayer convolution of the adversarial examples, and the separated feature maps are used to calculate the similarity with the high- and low-frequency feature maps obtained by Gaussian low-pass filtering of the clean examples. Second, by adjusting the network's attention to high-frequency feature images, CFNet can effectively remove the perturbations in adversarial examples and obtain reconstructed examples with high visual quality. Finally, to further improve the robustness of CFNet, contrastive regularization is proposed to bring the reconstructed examples back to the manifold decision boundary of clean examples, thus improving the classification accuracy of reconstructed examples. On the CIFAR-10 dataset, compared with the existing state-of-the-art defense model, the defense accuracy of CFNet is improved by 16.93% and 5.67% under untargeted and targeted projected gradient descent attacks, respectively. The AutoAttack untargeted attack defense accuracy increased by 30.81%. Experiments show that our approach provides better protection than existing state-of-the-art approaches, especially against unseen (untrained) types of attacks and adaptive attacks.