Regularization Meets Enhanced Multi-Stage Fusion Features: Making CNN More Robust against White-Box Adversarial Attacks

Abstract

Regularization has become an important method in adversarial defense. However, the existing regularization-based defense methods do not discuss which features in convolutional neural networks (CNN) are more suitable for regularization. Thus, in this paper, we propose a multi-stage feature fusion network with a feature regularization operation, which is called Enhanced Multi-Stage Feature Fusion Network (EMSF²Net). EMSF²Net mainly combines three parts: multi-stage feature enhancement (MSFE), multi-stage feature fusion (MSF²), and regularization. Specifically, MSFE aims to obtain enhanced and expressive features in each stage by multiplying the features of each channel; MSF² aims to fuse the enhanced features of different stages to further enrich the information of the feature, and the regularization part can regularize the fused and original features during the training process. EMSF²Net has proved that if the regularization term of the enhanced multi-stage feature is added, the adversarial robustness of CNN will be significantly improved. The experimental results on extensive white-box attacks on the CIFAR-10 dataset illustrate the robustness and effectiveness of the proposed method.

1. Introduction

Since deep learning technologies represented by a convolutional neural network (CNN) were proposed, the field of computer vision (e.g., image classification, object detection, and image retrieval) has developed rapidly. However, as the application range of CNNs broadens, its safety and robustness have significantly attracted the attention of academia and industry. CNNs highly depend on data, i.e., CNNs are fragile to some extent since the complexity of the data will directly affect the classification accuracy of the CNN. In 2014, Szegedy et al. [1] pointed out that if someone adds a perturbation to the original image that is sufficiently small that the human eyes cannot distinguish it, the accuracy of CNN will decrease significantly. An image added by these perturbations is called an adversarial example.

The concept of adversarial examples has attracted significant attention from related researchers since the existing CNN architectures may have huge loopholes. Furthermore, the existence of adversarial examples is a serious threat to the application of CNNs in fields of security and privacy [2]. Regarding the reasons for the existence of adversarial examples, the researchers are still in the preliminary stage of exploration, and they have discussed some possible explanations so far. Among these reasons, the idea proposed by IIyas et al. [3] is relatively novel. They considered that the adversarial examples result from sensitive features learned by the CNN. In other words, the CNN provides unrobust features.

Many excellent methods have emerged for adversarial defense, and these methods are mainly divided into four categories. The first is adversarial training [4,5,6,7,8,9]. These methods, where some subtle perturbations are added to the input data during the training process, can force CNN to adapt to these perturbations to improve the adversarial robustness. The second is to process the input data, and these methods are designed to compress [10,11], denoise [12,13,14,15], and transform [16,17,18,19] the input data to remove the adversarial noise. With the popularity of the knowledge distillation [20], some related researchers have introduced this technology into adversarial defense [21,22,23], achieving good defense effects. The latest ones are the regularization-based methods [24,25,26,27,28]. These methods help CNNs avoid overfitting and prevent the model from being too sensitive to small perturbations in the input data.

Among these methods, the regularization-based adversarial defense methods are becoming more important because of their effectiveness and low computational cost. However, there are several features in CNNs. These existing regularization-based methods do not discuss in depth what type of features are more suitable for regularization to further improve the adversarial robustness of CNNs.

In this paper, we propose a new CNN architecture called Enhanced Multi-Stage Features Fusion (EMSF²Net). EMSF²Net consists of three core operations: multi-stage features enhancement (MSFE), multi-stage features fusion (MSF²), and regularization. For the MSFE part inspired by SENet [29], we first perform the global average pooling (GAP) operation on the features of each stage to obtain the channel-level global features. Then, we multiply the channel-level global features with the original features to obtain the enhanced features. In the MSF² part, we first flatten the enhanced multi-stage features directly into one-dimensional features. Then, we directly perform the concatenation operation on them. Although this operation is simple, it is very effective, since MSF² can keep the global information on each channel learned by MSFE. Finally, we perform the regularization operation on the obtained fusion and original multi-stage features in the training process. Specifically, we use a regularization loss function as the regularization operation of EMSF²Net. The proposed EMSF²Net confirms that adding the regularization term of the enhanced multi-stage fusion feature can significantly improve the adversarial robustness of CNN. It also shows that the enhanced multi-stage fusion feature is more suitable for regularization. Furthermore, compared with existing global information-based adversarial defense approaches, we introduce the regularization technique into the fused global features and demonstrate that the regularized fused global features can further improve the adversarial robustness of CNN.

The contributions of this study are summarized as follows:

• We propose a new network, EMSF²Net. The enhanced multi-stage fusion feature in EMSF²Net can represent and keep the global information of each channel well.
• We show that regularizing the enhanced multi-stage fusion feature can significantly improve the adversarial robustness of a CNN.
• The extensive experimental results on white-box attacks with different settings show the effectiveness and robustness of the proposed approach.

2. The Proposed Method

Figure 1 and

Table 1. Architecture details of the baseline in our method. Among them, ${\mathcal{L}}_{PC}$ represents the loss of the regularization method proposed by Mustafa et al. [26], and ${\mathcal{L}}_{CE}$ represents the common cross-entropy loss.

Layer	ResNet50
STAGE 0	$\mathrm{Conv}(64,3\times 3),\mathrm{BN},\mathrm{ReLU}$
STAGE 1	$\left[\begin{array}{c}\mathrm{Conv}(64,1\times 1),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(64,3\times 3),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(256,1\times 1),\mathrm{BN}\\ \mathrm{shortcut},\mathrm{ReLU}\end{array}\right]$$\times 3$
STAGE 2	$\left[\begin{array}{c}\mathrm{Conv}(128,1\times 1),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(128,3\times 3),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(512,1\times 1),\mathrm{BN}\\ \mathrm{shortcut},\mathrm{ReLU}\end{array}\right]$$\times 4$ $\mathrm{Max}\mathrm{pooling}$$\to {\mathcal{L}}_{PC}$
STAGE 3	$\left[\begin{array}{c}\mathrm{Conv}(256,1\times 1),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(256,3\times 3),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(1024,1\times 1),\mathrm{BN}\\ \mathrm{shortcut},\mathrm{ReLU}\end{array}\right]$$\times 6$ $\mathrm{Max}\mathrm{pooling}$$\to {\mathcal{L}}_{PC}$
STAGE 4	$\left[\begin{array}{c}\mathrm{Conv}(512,1\times 1),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(512,3\times 3),\mathrm{BN},\mathrm{ReLU}\\ \mathrm{Conv}(2048,1\times 1),\mathrm{BN}\\ \mathrm{shortcut},\mathrm{ReLU}\end{array}\right]$$\times 3$
5	$\mathrm{Average}\mathrm{pooling}$$\to {\mathcal{L}}_{PC}$
6	$\mathrm{FC}\left(4096\right)$$\to {\mathcal{L}}_{PC}$
7	$\mathrm{FC}\left(10\right)$$\to {\mathcal{L}}_{CE}$

show the architecture of the proposed EMSF²Net and the baseline, respectively. As shown in Figure 1, we use the outputs of STAGES 2–4, whose details are presented in Table 1, of the standard ResNet50 [30] as multi-stage features. The proposed EMSF²Net consists of three core parts: MSFE, MSF², and regularization. We will explain these three parts in detail in the following subsections.

2.1. Multi-Stage Features Enhancement (MSFE)

In this subsection, we explain MSFE, and the details of this part are shown in the FE Block in Figure 1. Suppose the output feature after the Conv Block in STAGE m (m = 2, 3, 4) is ${\mathit{U}}_m=\left[{\mathit{u}}_m^1,{\mathit{u}}_m^2,\cdots ,{\mathit{u}}_m^{C_m}\right]\in {\mathbb{R}}^{H_m\times W_m\times C_m}$ represented by Feature m (m = 2, 3, 4) in Figure 1. $H_m$, $W_m$, and $C_m$ represent the height, width, and the number of channels of Feature m, respectively. Furthermore, ${\mathit{u}}_m^l$ ($l=1,\cdots ,C_m$) represents the sub-feature of feature ${\mathit{U}}_m$ on channel l.

As shown in Figure 1, we first perform the GAP operation on the input feature ${\mathit{U}}_m$ to obtain the channel-level global feature ${\mathit{Z}}_m=[z_m^1,z_m^2,\cdots ,z_m^{C_m}]\in {\mathbb{R}}^{1\times 1\times C_m}$. The operation expression on channel l ($l=1,\cdots ,C_m$) is shown as follows:

$$\begin{array}{cc}\hfill z_m^l& =GAP\left({\mathit{u}}_m^l\right)\hfill \\ \hfill & =\frac{1}{H_m\times W_m}\sum _{i=1}^{H_m}\sum _{j=1}^{W_m}{\mathit{u}}_m^l(i,j).\hfill \end{array}$$

(1)

Next, we multiply the obtained channel-level global feature ${\mathit{Z}}_m$ with the original input feature ${\mathit{U}}_m$ as the feature enhancement operation. The enhanced feature is represented by ${\mathit{U}}_m^{\prime }=\left[{\mathit{u}}_m^{\prime 1},{\mathit{u}}_m^{\prime 2},\cdots ,{\mathit{u}}_m^{\prime C_m}\right]\in {\mathbb{R}}^{H_m\times W_m\times C_m}$. The operation expression on channel l ($l=1,\cdots ,C_m$) is shown as follows:

$$\begin{array}{c}\hfill {\mathit{u}}_m^{\prime l}=z_m^l·{\mathit{u}}_m^l.\end{array}$$

(2)

The original feature can produce feature weights with a global receptive field after the GAP. If the feature weights and original feature are fused by channels, each channel of the original feature will learn global information, thus enriching the original feature and making the feature more expensive to realize. Finally, we put ${\mathit{U}}_m^{\prime }$ into the Conv Block to obtain the final enhanced feature ${\tilde{\mathit{U}}}_m\in {\mathbb{R}}^{H_m\times W_m\times C_m}$, as shown in Figure 1.

2.2. Multi-Stage Features Fusion (MSF²)

After obtaining the enhanced feature ${\tilde{\mathit{U}}}_m\in {\mathbb{R}}^{H_m\times W_m\times C_m}$ ($m=2,3,4$) of each stage, we perform the fusion operation on these features. First, we flatten each feature ${\tilde{\mathit{U}}}_m$ into a vector ${\mathit{v}}_m$ as follows:

$$\begin{array}{c}\hfill {\mathit{v}}_m=F\left(AvgP\left({\tilde{\mathit{U}}}_m\right)\right)\in {\mathbb{R}}^{C_m}.\end{array}$$

(3)

As shown in the above equation, we first use average pooling ($AvgP$) to map ${\tilde{\mathit{U}}}_m$ to the $1\times 1\times C_m$ dimension and perform a flattening operation (F) to map it to the $C_m$ dimension. Then, we fuse the flattened vectors of each stage, and its operations are shown as follows:

$$\begin{array}{c}\hfill \tilde{\mathit{v}}=FC\left(\left[{\mathit{v}}_2,{\mathit{v}}_3,{\mathit{v}}_4\right]\right)\in {\mathbb{R}}^{C^{\prime }}.\end{array}$$

(4)

As shown in the above equation, we first concatenate all ${\mathit{v}}_m$ into a new vector and use a fully connected layer ($FC$) to map it to the $C^{\prime }$ dimension.

Although this fusion method looks simple, it can keep the channel-wise global information learned after the FE Block at each stage well maintained. However, the information in the learned global features may be destroyed if other fusion methods are used.

2.3. Regularization

In this paper, we use a prototype conformity loss ${\mathcal{L}}_{PC}$[26] proposed by Mustafa et al. as our regularization method. For a classification task with the number of classes k, given training images, let ${\mathit{f}}_p$ be the output feature of one image ${\mathit{x}}_p$ with class ${\mathit{y}}_p$. Therefore, the expression of ${\mathcal{L}}_{PC}$ is shown as follows:

$$\begin{array}{c}\hfill {\mathcal{L}}_{PC}=\sum _p\left\{{∥{\mathit{f}}_p-{\mathit{w}}_{y_p}^c∥}_2-\frac{1}{k-1}\sum _{q\ne y_p}\right({∥{\mathit{f}}_p-{\mathit{w}}_q^c∥}_2+{∥{\mathit{w}}_{y_p}^c-{\mathit{w}}_q^c∥}_2\left)\right\},\end{array}$$

(5)

where ${\mathit{w}}_{y_p}^c$ is the class centroid corresponding to the true class ${\mathit{y}}_p$, and ${\mathit{w}}_q^c$ is the class centroids corresponding to other classes that are not class ${\mathit{y}}_p$. We can see from the above equation that ${\mathcal{L}}_{PC}$ can increase the distance between different classes and reduce the distance between ${\mathit{f}}_p$ and the class center ${\mathit{w}}_{y_p}^c$; thus, the boundaries between different classes are more obvious.

It is easier for ${\mathcal{L}}_{PC}$ to learn the differences among the features of different classes when the representation information of the features of each class is rich. Additionally, the output features of EMSF²Net contain information-rich global channel features. Naturally, we introduce ${\mathcal{L}}_{PC}$ into our proposed network as the regularization method. Therefore, the total loss function ${\mathcal{L}}_{all}$ used for training EMSF²Net is shown as follows:

$$\begin{array}{c}\hfill {\mathcal{L}}_{all}={\mathcal{L}}_{CE}+\sum _{k=1}^4{\mathcal{L}}_{PC}^k,\end{array}$$

(6)

where the cross-entropy loss ${\mathcal{L}}_{CE}$ is responsible for constraining the final classification outputs of EMSF²Net, and ${\mathcal{L}}_{PC}$ aims to regularize the multi-stage features, and the enhanced multi-stage fusion feature in EMSF²Net. ${\sum }_{k=1}^4{\mathcal{L}}_{PC}^k$ denotes the sum of all ${\mathcal{L}}_{PC}$ in EMSF²Net. ${\mathcal{L}}_{all}$ can increase the distances between samples with different classes and decrease the distances between samples with the same classes in the output space.

3. Dataset and Adversarial Attacks

In this section, we introduce the dataset and seven popular adversarial attack methods used in this paper to verify the adversarial robustness of our proposed method.

3.1. Dataset: CIFAR-10

We used the CIFAR-10 dataset [31], which has been widely used to verify adversarial defense methods, to compare our method with other state-of-the-art and ablation analysis methods. CIFAR-10 consists of 60,000 images with the size of 32 × 32 pixels; the training set contains 50,000 images, and the test set consists of 10,000 images. This dataset is divided into 10 classes: “airplane”, “automobile”, “bird”, “cat”, “deer”, “dog”, “frog”, “horse”, “ship”, and “truck”.

3.2. Attack Methods

Given a clean image $\mathit{x}$ and its corresponding true label $\mathit{y}$, the model is represented as $\mathit{f}$, and the adversarial attack aims to find a perturbation $\mathbf{\eta }$ that human eyes cannot distinguish. This kind of perturbation should satisfy the following equation:

$$\begin{array}{c}\hfill \underset{{∥\mathbf{\eta }∥}_p<ϵ}{\mathrm{argmax}}\mathcal{L}(\mathit{f}(\mathit{x}+\mathbf{\eta }),\mathit{y}),\end{array}$$

(7)

where $\mathcal{L}$ represents the loss function; ${∥·∥}_p$ represents the $L_p$-norm with $p\in \{0,\cdots ,\infty \}$, and $ϵ$ is the perturbation or attack strength.

Currently, many adversarial attack methods for finding the perturbation have been proposed. In this paper, we used six popular adversarial attacks, which are shown in detail below, to evaluate the robustness of the proposed EMSF²Net. The adversarial attack toolbox used in the experiments is Torchattacks [32].

3.2.1. Fast Gradient Sign Method

The fast gradient sign method (FGSM) [4] is a classic adversarial attack method. It generates the adversarial perturbation $\mathbf{\eta }$ based on the gradient of loss function of the clean image $\mathit{x}$. The generated adversarial example ${\mathit{x}}^{\prime }$ can be expressed as follows:

$$\begin{array}{c}\hfill {\mathit{x}}^{\prime }=\mathit{x}+ϵ·\mathrm{sign}\left({\nabla }_{\mathit{x}}\mathcal{L}(\mathit{f}\left(\mathit{x}\right),\mathit{y})\right),\end{array}$$

(8)

where $ϵ$ represents the attack strength and the distance measure used for this attack is $L_{\infty }$.

3.2.2. Projected Gradient Descent

Projected gradient descent (PGD) [5] is a kind of iterative adversarial attack method, which can be regarded as a kind of iteration FGSM. The expression of step $k+1$ is as follows:

$$\begin{array}{cc}\hfill & {\mathit{x}}_0^{\prime }=\mathit{x}+\mathcal{U}(-ϵ,ϵ),\hfill \\ \hfill & {\mathit{x}}_{k+1}^{\prime }=\mathcal{P}\left\{{\mathit{x}}_k^{\prime }+\alpha ·\mathrm{sign}\left[{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}\left(\mathit{f}\left({\mathit{x}}_k^{\prime }\right),\mathit{y}\right)\right]\right\},\hfill \end{array}$$

(9)

where $\mathcal{U}(·,·)$ is the uniform distribution, and $\alpha$ denotes the step size. The projection function $\mathcal{P}\{·\}$ guarantees that after each iteration, the generated adversarial example ${\mathit{x}}^{\prime }$ can always be in the $ϵ$-ball with $\mathit{x}$ as the center, and $ϵ$ is the radius. The distance measurements used for this attack are $L_{\infty }$ and $L_2$. Specifically, the PGD attack adopted the $L_2$-norm denoted as the PGD_$L_2$ in this paper.

3.2.3. Momentum Iterative Fast Gradient Sign Method

The momentum iterative FGSM (MI-FGSM, MIM) [33] integrates momentum into the iteration process, which is unlike the traditional iteration-based FGSMs [5,34], and the expressions of step $k+1$ are shown as follows:

$$\begin{array}{cc}\hfill & {\mathit{g}}_0=0,{\mathit{x}}_0^{\prime }=\mathit{x},\hfill \\ \hfill & {\mathit{g}}_{k+1}=\mu ·{\mathit{g}}_k+\frac{{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}(\mathit{f}\left({\mathit{x}}_k^{\prime }\right),\mathit{y})}{{∥{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}(\mathit{f}\left({\mathit{x}}_k^{\prime }\right),\mathit{y})∥}_1},\hfill \\ \hfill & {\mathit{x}}_{k+1}^{\prime }=\mathcal{P}\left\{{\mathit{x}}_k^{\prime }+\alpha ·\mathrm{sign}\left({\mathit{g}}_{k+1}\right)\right\},\hfill \end{array}$$

(10)

where $\mu$ is the decay factor for the gradient direction; $\alpha$ is the step size, and $\mathcal{P}\{·\}$ is the projection function that can project the generated adversarial example ${\mathit{x}}^{\prime }$ in the $ϵ$-ball. We used the $L_{\infty }$ distance measure for the MI-FGSM attack.

3.2.4. Diverse Inputs Iterative Fast Gradient Sign Method

Inspired by data augmentation [35,36], the diverse inputs iterative FGSM (DI²-FGSM) [37] introduces the input diversity to improve the transferability of adversarial examples. Specifically, a random transformation function is designed to clean inputs and used in each iteration of generating adversarial examples. In this paper, we employ the momentum-based DI²-FGSM attack, and the expressions of step $k+1$ are shown as follows:

$$\begin{array}{cc}\hfill & {\mathit{x}}_0^{\prime }=\mathit{x}+\mathcal{U}(-ϵ,ϵ),\hfill \\ \hfill & {\mathit{g}}_{k+1}=\mu ·{\mathit{g}}_k+\frac{{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}(\mathit{f}\left(\mathcal{T}({\mathit{x}}_k^{\prime };P)\right),\mathit{y})}{{∥{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}(\mathit{f}\left(\mathcal{T}({\mathit{x}}_k^{\prime };P)\right),\mathit{y})∥}_1},\hfill \\ \hfill & {\mathit{x}}_{k+1}^{\prime }=\mathcal{P}\left\{{\mathit{x}}_k^{\prime }+\alpha ·\mathrm{sign}\left({\mathit{g}}_{k+1}\right)\right\},\hfill \\ \hfill & \mathcal{T}({\mathit{x}}_k^{\prime };P)=\left\{\begin{array}{c}\mathcal{T}\left({\mathit{x}}_k^{\prime }\right),\mathrm{with}\mathrm{probability}P\\ {\mathit{x}}_k^{\prime },\mathrm{with}\mathrm{probability}1-P,\end{array}\right.\hfill \end{array}$$

(11)

Here, $\mu$, $\alpha$, and $\mathcal{P}\{·\}$ are defined the same as in Equation (10); $\mathcal{T}(·;·)$ is the random transformation function; and P is the transformation probability. We used the $L_{\infty }$-norm as the distance measurement of DI²-FGSM.

3.2.5. Averaged Projected Gradient Descent

Inspired by expectation over transformation (EOT) [38], an averaged PGD (A-PGD, EOTPGD) [39] was proposed to obtain a more stable and effective adversarial attack than the vanilla PGD. It introduces the expectation into the PGD attack. The expressions on step $k+1$ of EOTPGD are shown as follows:

$$\begin{array}{cc}\hfill & {\mathit{x}}_0^{\prime }=\mathit{x}+\mathcal{U}(-ϵ,ϵ),\hfill \\ \hfill & {\mathit{x}}_{k+1}^{\prime }=\mathcal{P}\left\{{\mathit{x}}_k^{\prime }+\alpha ·\mathrm{sign}\left(\mathbb{E}\left[{\nabla }_{{\mathit{x}}_k^{\prime }}\mathcal{L}\left(\mathit{f}\left({\mathit{x}}_k^{\prime }\right),\mathit{y}\right)\right]\right)\right\},\hfill \end{array}$$

(12)

where $\mathbb{E}\left[·\right]$ and $\alpha$ denote the expectation and step size, respectively. We adopt the $L_{\infty }$-norm as the distance measure of the EOTPGD attack.

3.2.6. Carlini and Wagner

Carlini and Wagner (CW) [40] is a novel optimization-based adversarial attack method. Specifically, a new variable $\mathit{w}$ is introduced and optimized according to the following expressions to generate more deceptive adversarial examples:

$$\begin{array}{cc}\hfill & {\mathit{w}}^{\prime }=\underset{\mathit{w}}{min}{∥\frac{1}{2}(tanh\left(\mathit{w}\right)+1)-\mathit{x}∥}_2^2+c·\mathcal{G}\left(\frac{1}{2}(tanh\left(\mathit{w}\right)+1)\right),\hfill \\ \hfill & {\mathit{x}}^{\prime }=\frac{1}{2}(tanh\left({\mathit{w}}^{\prime }\right)+1),\hfill \\ \hfill & \mathcal{G}(·)=max\left(\mathit{f}{(·)}_{\mathit{y}}-\underset{\mathit{i}\ne \mathit{y}}{max}\mathit{f}{(·)}_{\mathit{i}},-\kappa \right),\hfill \end{array}$$

(13)

where c is a hyperparameter positively related to the strength of the generated adversarial examples, whereas $\kappa$ is a confidence hyperparameter that can make the adversarial example ${\mathit{x}}^{\prime }$ become misclassified more easily. $\mathit{f}{(·)}_{\mathit{y}}$ represents the output probability of the true label $\mathit{y}$, and $\mathit{f}{(·)}_{\mathit{i}}$ represents the output probability of being misclassified. We used the $L_2$-norm distance measure for the CW attack.

4. Comparison Experiments

4.1. Comparison Methods

To fully verify the effectiveness and robustness of the proposed EMSF²Net, we chose three state-of-the-art methods.

MART [41]:

A novel loss function for adversarial defense is proposed in this method, which can pay more attention to the misclassified samples, thereby improving the adversarial robustness of the deep model.

RobNet [42]:

In RobNet, the authors focus on the network structure and introduce the neural architecture search (NAS) method into adversarial defense so that the robust network structures can be searched and designed.

BPFC [43]:

To simulate human visual processing, the authors impose a regularizer for consistent representation of the features learned from different quantized images in BPFC. This regularizer can significantly improve the adversarial robustness of the deep model.

4.2. Performance against Adversarial Attacks with $L_{\infty }$-Norm

In this subsection, we will demonstrate the robust accuracy results of the proposed EMSF²Net and the comparison methods under the adversarial attacks using the $L_{\infty }$-norm on the CIFAR-10 dataset. Specifically, we choose FGSM, PGD, MI-FGSM, DI²-FGSM, and EOTPGD with different attack strengths to show the superiority of the proposed approach. These $L_{\infty }$-norm attacks are set to white-box. The attack strengths of these attacks are set to 2/255, 4/255, 8/255, and 16/255.

First, we show the clean and robust accuracies against single-step FGSM attacks on the CIFAR-10 dataset. The results are presented in

Table 2. Clean and robust accuracies under the FGSM attack on CIFAR-10 dataset. The lightgray row represents the results of the proposed method, and the bold results represent the best results.

		FGSM
Method	No Attack	$\mathit{ϵ}=\frac{2}{255}$	$\mathit{ϵ}=\frac{4}{255}$	$\mathit{ϵ}=\frac{8}{255}$	$\mathit{ϵ}=\frac{16}{255}$
MART	83.6%	78.4%	72.9%	61.6%	42.6%
RobNet	82.7%	76.9%	70.6%	58.4%	38.0%
BPFC	82.4%	73.7%	64.6%	50.1%	33.7%
EMSF2Net (Ours)	92.7%	83.3%	81.1%	73.3%	42.7%

. As shown in Table 2, we can confirm that the proposed EMSF²Net outperforms the comparison methods under the FGSM attack and keeps a high classification accuracy in the scene with clean images.

Next, we show the robust classification accuracy under the iteration-based $L_{\infty }$-norm adversarial attacks with less complexity (iteration number = 10). For the convenience of distinction, we use PGD-10, MI-FGSM-10, DI²-FGSM-10, and EOTPGD-10 to denote these attacks with the iteration number of 10. The step size of these attacks is set to $ϵ/10$, where $ϵ$ denotes the attack strength. For MI-FGSM-10 and DI²-FGSM-10, the parameter of the momentum factor is set to 0.5. For EOTPGD-10, the number for estimating the mean gradient is set to 5. The results are presented in

Table 3. Robust accuracy against $L_{\infty }$-norm attacks with less complexity on CIFAR-10 dataset. The lightgray row represents the results of the proposed method, and the bold results represent the best results.

	Attack Strength
	$\mathbf{ϵ}=\frac{\mathbf{2}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{4}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{8}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{16}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{2}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{4}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{8}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{16}}{\mathbf{255}}$
	PGD-10				MI-FGSM-10
MART	79.7%	75.6%	65.5%	43.3%	78.3%	72.4%	59.1%	32.9%
RobNet	78.3%	73.4%	62.1%	38.6%	76.8%	70.1%	55.7%	27.8%
BPFC	75.7%	68.2%	52.0%	26.9%	73.4%	63.2%	44.5%	20.5%
EMSF2Net (Ours)	82.1%	80.6%	74.8%	53.8%	82.1%	81.0%	77.5%	66.5%
1c	DI2-FGSM-10				EOTPGD-10
MART	79.9%	76.1%	66.6%	45.8%	79.7%	75.6%	65.4%	43.5%
RobNet	78.6%	74.0%	63.3%	40.9%	78.3%	73.3%	62.1%	38.4%
BPFC	76.1%	69.4%	53.6%	29.1%	75.7%	68.3%	52.0%	26.9%
EMSF2Net (Ours)	81.2%	79.5%	73.8%	57.2%	82.1%	80.7%	74.7%	54.1%

. As shown in the table, we obtain that the proposed EMSF²Net still maintains the large advantages compared to the comparison methods under more difficult iteration-based adversarial attacks. In particular, the gaps between EMSF²Net and the other three comparison methods gradually increase as the attack strength $ϵ$ gradually increases. This phenomenon further illustrates the robustness and effectiveness of the proposed approach.

Finally, we show the performance of the proposed EMSF²Net and the comparison methods under more complex iteration-based adversarial attacks (iteration number = 20) using the $L_{\infty }$-norm. We use PGD-20, MI-FGSM-20, DI²-FGSM-20, and EOTPGD-20 to denote these attacks with the iteration number of 20. Except for the iteration number, the other parameters in the attacks with more complexity are the same as those with less complexity. The robust accuracy results are presented in

Table 4. Robust accuracy against $L_{\infty }$-norm attacks with more complexity on the CIFAR-10 dataset. The lightgray row represents the results of the proposed method, and the bold results represent the best results.

	Attack Strength
	$\mathbf{ϵ}=\frac{\mathbf{2}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{4}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{8}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{16}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{2}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{4}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{8}}{\mathbf{255}}$	$\mathbf{ϵ}=\frac{\mathbf{16}}{\mathbf{255}}$
	PGD-20				MI-FGSM-20
MART	78.3%	72.2%	57.7%	27.7%	78.3%	72.0%	57.3%	26.6%
RobNet	76.7%	69.7%	53.9%	22.5%	76.7%	69.6%	53.5%	21.8%
BPFC	73.3%	61.9%	39.9%	13.0%	73.2%	61.8%	39.7%	12.9%
EMSF2Net (Ours)	81.4%	79.0%	70.2%	45.9%	81.5%	79.0%	69.6%	50.5%
1c	DI2-FGSM-20				EOTPGD-20
MART	78.6%	73.0%	59.1%	30.1%	78.3%	72.2%	57.9%	27.6%
RobNet	77.0%	70.5%	55.5%	24.5%	76.7%	69.7%	53.7%	22.5%
BPFC	73.8%	63.5%	41.9%	14.5%	73.3%	62.0%	39.8%	13.1%
EMSF2Net (Ours)	80.2%	76.9%	68.2%	45.1%	81.5%	79.4%	70.5%	45.4%

. From this table, we can conclude that the classification results of the comparison methods decrease significantly as the attack strength $ϵ$ increases under more complex attacks. In contrast, the proposed EMSF²Net still maintains a high classification accuracy.

4.3. Performance against Adversarial Attacks with $L_2$-Norm

In Section 4.2, we present the classification accuracy results of the proposed EMSF²Net and three state-of-the-art comparison methods under white-box attacks with $L_{\infty }$-norm. These results reveal the robustness of EMSF²Net against $L_{\infty }$-norm attacks. In this subsection, we adopt another type of widely used adversarial attacks, the $L_2$-norm attacks, to further and more comprehensively verify the effectiveness of the proposed EMSF²Net. Specifically, we use PGD_$L_2$ attacks with different iteration numbers and CW attacks, where PGD_$L_2$-10, PGD_$L_2$-20, and PGD_$L_2$-40 represent PGD_$L_2$ attacks with the iteration numbers of 10, 20, and 40, respectively.

Table 5. Robust accuracy against adversarial attacks using the $L_2$-norm on the CIFAR-10 dataset. The lightgray row represents the results of the proposed method, and the bold results represent the best results.

	Attack Strength
	$\mathbf{ϵ}=\mathbf{1}.\mathbf{0}$	$\mathbf{ϵ}=\mathbf{2}.\mathbf{0}$	$\mathbf{ϵ}=\mathbf{3}.\mathbf{0}$	$\mathbf{ϵ}=\mathbf{1}.\mathbf{0}$	$\mathbf{ϵ}=\mathbf{2}.\mathbf{0}$	$\mathbf{ϵ}=\mathbf{3}.\mathbf{0}$
	PGD_${\mathit{L}}_{\mathbf{2}}$-10			PGD_${\mathit{L}}_{\mathbf{2}}$-20
MART	46.2%	17.2%	4.7%	37.5%	5.5%	0.4%
RobNet	42.8%	14.4%	3.9%	34.5%	4.9%	0.5%
BPFC	47.1%	23.0%	11.3%	41.7%	12.9%	3.3%
EMSF2Net (Ours)	78.8%	72.4%	64.1%	74.1%	62.9%	52.0%
	Attack strength			Iteration number ($steps$)
	$ϵ=1.0$	$ϵ=2.0$	$ϵ=3.0$	100	500	1000
	PGD_${\mathit{L}}_{\mathbf{2}}$-40			CW
MART	34.1%	3.1%	0.1%	22.9%	21.0%	20.9%
RobNet	31.5%	3.1%	0.1%	12.9%	10.8%	10.8%
BPFC	39.4%	8.7%	1.4%	59.4%	59.4%	59.4%
EMSF2Net (Ours)	67.6%	50.7%	39.6%	72.5%	69.1%	67.7%

presents the robust accuracy results of the proposed EMSF²Net and the comparison methods under $L_2$-norm attacks with different attack strengths $ϵ$ or different iteration numbers. The step size of the PGD_$L_2$ attacks is set to $ϵ/10$, and the parameter c for box-constraint and confidence $\kappa$ in CW are set to 1.0 and 0, respectively. These $L_2$-norm attacks are set to white-box.

Table 5 shows that EMSF²Net can always maintain the highest accuracy under different $L_2$-norm attacks with different strengths and iterations compared to the comparison methods. In particular, the accuracy of the comparison methods drops rapidly, even lower than 1.0% in some cases, with the increase in $ϵ$ under the PGD_$L_2$ attacks. In contrast, the proposed EMSF²Net can still maintain a relatively high adversarial robustness. The proposed EMSF²Net can also maintain the comparable performance under the notoriously difficult CW attack.

5. Ablation Analysis

In this section, we conducted a series of ablation experiments to further reveal the effectiveness and robustness of EMSF²Net.

We used two approaches for the ablation analysis. The first one is the baseline ResNet-50 shown in Table 1. We added three ${\mathcal{L}}_{PC}$ at the outputs of STAGES 2–4 for a fair comparison. We also constructed a new architecture called MSF²Net (Multi-Stage Feature Fusion Network) to verify the effectiveness of the FE Block. Compared with EMSF²Net, MSF²Net removes the FE Block of each stage, and the remaining parts are the same as EMSF²Net. The total loss functions of the baseline and MSF²Net during the training process are the sum of ${\mathcal{L}}_{CE}$ and ${\mathcal{L}}_{PC}$.

First, in Section 5.1, we vividly show the performance of the baseline, MSF²Net, and EMSF²Net under the adversarial attacks with different parameter settings in the form of line graphs. Then, in Section 5.2, we present the classification accuracy of each class in the CIFAR-10 dataset for the three approaches against different attacks in the form of histograms to reveal which classes in the CIFAR-10 dataset are more likely to be misclassified using these methods. Furthermore, in Section 5.3, we use a powerful tool for interpretability, grad-cam, to visualize each stage (STAGES 1–4) of the three methods. We also reveal which features the three methods focus on under adversarial attacks. Thus, the reason for the adversarial robustness of the proposed EMSF²Net can be understood. Finally, we use another popular interpretability tool, t-SNE, to show the feature distributions of three approaches under adversarial attacks with different settings.

5.1. Performance on Three Methods

In this subsection, we present the classification results of the baseline, MSF²Net, and EMSF²Net under the $L_{\infty }$-norm and $L_2$-norm attacks with the white-box setting on the CIFAR-10 dataset. First, the performance under the $L_{\infty }$-norm attacks is given and shown in Figure 2. The attack strengths $ϵ$ of these attacks are set to 2/255, 4/255, 8/255, and 16/255, respectively. Other parameters are set the same as the parameters explained in Section 4.2. Next, we show the robust accuracy of these three methods under the $L_2$-norm white-box attacks in Figure 3. The attack strengths $ϵ$ of PGD_$L_2$ attacks are set to 1.0, 2.0, and 3.0, whereas the iteration numbers of CW are set to 100, 500, and 1000, respectively. Other parameters are set the same as the parameters explained in Section 4.3.

As shown in Figure 2, although the gaps between the three approaches are not obvious under the FGSM attack, the advantages of the proposed EMSF²Net gradually emerge under the iteration-based attacks. Moreover, the proposed EMSF²Net still outperforms the baseline and MSF²Net under the $L_2$-norm white-box attacks. Particularly, the robust accuracy of the baseline and MSF²Net are below 50% under the CW attack, whereas the accuracy of the proposed EMSF²Net is consistently above 60%. Thus, the effectiveness of the FE Block is also clearly verified from Figure 2 and Figure 3.

5.2. Performance on Each Class of CIFAR-10

To further investigate the impacts of white-box adversarial attacks, we output the accuracy of each class of the baseline, MSF²Net, and EMSF²Net, and the results are shown in Figure 4 and Figure 5. Figure 4 shows the clean accuracy of each class and the robust accuracy of each class under the $L_{\infty }$-norm white-box attacks, while Figure 5 shows the robust accuracy under the white-box attacks with the $L_2$-norm. In Figure 4, we use FGSM, PGD-10, MI-FGSM-20, DI²-FGSM-10, and EOTPGD-20 with the same attack strength $ϵ=0.04$. For PGD-10, the step size is set to 0.004. For MI-FGSM-20 and DI²-FGSM-10, their step size and momentum factor are set to 0.004 and 0.5, respectively. For EOTPGD-20, its step size and number for estimating the mean gradient are set to 0.004 and 5. In Figure 5, we use the PGD_$L_2$ attacks (PGD_$L_2$-10, PGD_$L_2$-20, and PGD_$L_2$-40) and CW attack. For the PGD_$L_2$ attacks, their attack strength and step size are set to 4.0 and 0.4, respectively. For CW, its box-constraint parameter c, confidence $\kappa$, and iteration number are set to 1.0, 0, and 400, respectively.

The upper left part of Figure 4 is the clean accuracy of each class. We can see that when there is no attack, the accuracy of each class of the three methods almost has no difference. However, after the adversarial attacks, the accuracy gaps between the three methods appear. As shown in Figure 4 and Figure 5, after the $L_{\infty }$- and $L_2$-norm attacks, EMSF²Net can always keep a comparable, or an even better, performance compared with the baseline and MSF²Net. In particular, the accuracy of baseline and MSF²Net on class “cat” is extremely low, but EMSF²Net still maintains high accuracy. Regarding the reason for this, we consider that the structural information contained in the images with class “cat” is more complicated than that contained in the images with other classes, and as mentioned earlier, the features after the FE Block in EMSF²Net will have a strong ability to express information. Therefore, they can better represent the information in the images with the class “cat”, while the features in the baseline and MSF²Net may not be able to represent this rich information well. So after regularization, the adversarial robustness of class “cat” will be weak.

5.3. Grad-Cam Visualization

In this subsection, to understand which features the three approaches pay attention to when facing adversarial attacks, we use grad-cam to visualize the output features of STAGES 1–4 in these three methods. In this way, the recognition mechanism of the three methods under adversarial attacks can be revealed. It is also possible to know why the proposed EMSF²Net can keep high robustness.

Figure 6 and Figure 7 show the visualization results under the white-box $L_{\infty }$-norm and white-box $L_2$-norm attacks, respectively. The “BS” in Figure 6 and Figure 7 denotes the baseline method. For the $L_{\infty }$-norm attacks, we use PGD-10 and EOTPGD-20, and their attack strength $ϵ$ and step size are set to 0.02 and 0.002, respectively. Additionally, the parameter for estimating the mean gradient in EOTPGD-20 is set to 5. For the $L_2$-norm attacks, we adopt the PGD_$L_2$ attacks with different iterations (PGD_$L_2$-10, PGD_$L_2$-20, and PGD_$L_2$-40) and the CW attack, which is known for its difficulty. For the PGD_$L_2$ attacks, their attack strength and step size are set to 2.0 and 0.2, respectively. For CW, its box-constraint, confidence, and iteration parameters are set to 1.0, 0, and 500, respectively.

From Figure 6 and Figure 7, we can conclude that although the attention regions of STAGES 1–3 of the three approaches are confusing, the three methods begin to differ in the attention regions of STAGE 4. Specifically, the attention regions of the baseline and MSF²Net at STAGE 4 are either not the target class or are relatively large. However, the proposed EMSF²Net can always focus on the most important features of the target. We believe that for a non-denoising network, when the input is the adversarial image, it is easier to misclassify if the attention regions of the network are larger. This is because the texture features in the adversarial image have been contaminated, and if more regions are focused on, more erroneous features will be extracted. In contrast, if a network can always focus on and extract the most core features in the adversarial image, the classification accuracy can be improved since the core features contain relatively fewer adversarial noises.

Moreover, regarding which features in CNN are more important, as can be seen from Figure 6 and Figure 7, the areas of interest of STAGE 1–3 (shallow layers) are not the target areas. However, the outputs of STAGE 4 (deep layers) may affect the final classification results. Therefore, we can conclude that the deep layers are more important and more suitable for regularization.

5.4. t-SNE Visualization

In this subsection, we use t-SNE to visualize the output features of the last layer in these three approaches to view the feature distributions of the baseline, MSF²Net, and EMSF²Net. Figure 8, Figure 9, Figure 10 and Figure 11 show the visualization results under no attacks, less complex $L_{\infty }$-norm attacks, more complex $L_{\infty }$-norm attacks, and $L_2$-norm attacks, respectively. In these figures, “BS” denotes the baseline method, and the adversarial attacks used here are white-box settings. The serial numbers 1–10 in these figures represent “airplane”, “automobile”, “bird”, “cat”, “deer”, “dog”, “frog”, “horse”, “ship”, and “truck” on the CIFAR-10 dataset, respectively.

In Figure 9, we adopt FGSM, PGD-10, MI-FGSM-10, DI²-FGSM-10, and EOTPGD-10 with the same attack strength $ϵ=4/255$ as $L_{\infty }$-norm attacks with less complexity. The step size, momentum factor, and number for estimating the mean gradient are set to $ϵ/10$, 0.5, and 5, respectively. For the more complex $L_{\infty }$-norm attacks in Figure 10, we use PGD-20, MI-FGSM-20, DI²-FGSM-20, and EOTPGD-20. The parameters, except the iteration number, are the same as the parameters used in Figure 9. Finally, we adopt the PGD_$L_2$ attacks with different iterations (PGD_$L_2$-10, PGD_$L_2$-20, and PGD_$L_2$-40) and the CW attack as the $L_2$-norm attacks in Figure 11. For the PGD_$L_2$ attacks, their attack strength $ϵ$ and step size are set to 1.0 and 0.1, respectively. For CW, its box-constraint, confidence, and iteration parameters are set to 1.0, 0, and 50, respectively.

From Figure 8, we can conclude that the boundaries between each class of the CIFAR-10 dataset of the three methods are relatively obvious, indicating that these three methods can classify CIFAR-10 well without any attacks. However, the gaps between the three methods begin to appear under various adversarial attacks. From Figure 9, Figure 10 and Figure 11, we can find that under adversarial attacks, the classification results of the baseline are very chaotic, and the boundaries between each class of CIFAR-10 are very blurred; however, the performance of MSF²Net is slightly better. In contrast, the proposed EMSF²Net can always keep clear classification boundaries in most cases, which fully demonstrates the robustness and effectiveness of our method.

6. Conclusions

In this paper, we explored the adversarial defense based on regularization. We observe that the existing regularization-based adversarial defense methods do not discuss in detail what type of features are more suitable for regularization to further improve the adversarial robustness of CNNs. Therefore, we propose a new CNN architecture called EMSF²Net, consisting of three core operations: MSFE, MSF, and regularization. The proposed EMSF²Net shows that the robustness of CNN will be significantly improved if the enhanced multi-stage fusion feature is regularized. Extensive comparison experiments and ablation studies of white-box adversarial attacks with different settings demonstrate the effectiveness and robustness of our proposed method since the visual information processing mechanisms of different CNN-based structures are similar. Specifically, we believe that the CNN-based structures use operations such as convolution to extract the correlations between local data to effectively learn the representation information of each specific class. Thus, we have reason to believe that the proposed approach also performs well in other CNN-based structures. Regarding the performance of the proposed method on other structures, we would like to show it in future works.