An effective deep learning adversarial defense method based on spatial structural constraints in embedding space.

Deep neural networks are highly vulnerable to adversarial samples. Most existing adversarial defense methods do not consider the distribution of adversarial samples. We argue that very few adversarial samples in the natural sample set prevent the deep neural networks from learning a complete and effective representation of the adversarial samples. This causes the spatial structures between the natural and the adversarial samples to be vastly different from that of the input space, thus making the models vulnerable to adversarial attacks. Based on this viewpoint, this paper proposes an effective deep-learning adversarial defense method, which incorporates information about the spatial structures of the natural and the adversarial samples in the embedding space during the training process. This proposed approach improves the deep learning model's generalization to new adversarial samples and achieves the purpose of defending against adversarial attacks. Four deep neural networks with different scales are used and experimentally verified on four typical publicly available image data. The experimental results show that our method effectively improves the defense ability of deep learning models against adversarial attacks. • Development of an effective adversarial training method using spatial structure constraints in embedding space. • Spatial structure information of the natural and adversarial samples can help improve the adversarial robustness of DNNs. • The spatial structure constrain can be extended to adversarial training of semi-supervised and unsupervised learning. [ABSTRACT FROM AUTHOR]