MoNet: Impressionism As A Defense Against Adversarial Examples

While image classifiers based on Convolutional Neural Networks (CNN) are extremely successful, they often suffer from adversarial examples. To address this problem, we explore the combination of using secret randomness and Floyd-Steinberg dithering. More specifically, each CNN is trained with a secret, random key. Input images are first processed using Floyd-Steinberg dithering to reduce the color depth, and then each pixel is encrypted using the AES block cipher. Processed images are then fed into a standard CNN. We call our approach MoNet, because the processed images are reminiscent of impressionistic paintings. Classifiers trained with MoNet showed significant improvements in model stability and robustness against adversarial inputs. MoNet significantly improves the resilience against transferability of adversarial examples, at the cost of a small drop in prediction accuracy.