Dual-Domain-Based Adversarial Defense With Conditional VAE and Bayesian Network

Adversarial examples can be imperceptible to human eyes but can easily fool deep models. Such intrigue property has raised security issues for real-world industrial deep learning systems. To combat those malicious attacks, a novel defense strategy has been proposed based on the conditional variational autoencoder (CVAE) and Bayesian network (BN). The main contribution lies in the provided systematic dual-domain-based defense framework, which covers three modules named detection, diagnosis, and recovery. Specifically, the CVAE is first introduced for latent- and residual-domain generation. Subsequently, a composite and hierarchical BN detector is proposed to conduct the adversary detection through feature validation and output justification. Afterwards, a diagnosis strategy has been constructed for residual domain and different attacks can be evaluated in the unified framework. Finally, a two-step recovery mechanism is established on the CVAE that can effectively restore the feature representations and the network predictions from various adversaries. The feasibility of the entire defense diagram has been extensively demonstrated on three real-world recognition problems.