RAIN: A Simple Approach for Robust and Accurate Image Classification Networks

It has been shown that the majority of existing adversarial defense methods achieve robustness at the cost of sacrificing prediction accuracy. We propose a novel defense framework, \emph{\underline{R}obust and \underline{A}ccurate \underline{I}mage classificatio\underline{N}} (RAIN), to improve the robustness of given CNN classifiers and, at the same time, preserve their high prediction accuracies. RAIN introduces a new randomization-enhancement scheme. It applies randomization over inputs to break the ties between the model forward prediction path and the backward gradient path, thus improving the model robustness. It then enhances the input's high-frequency details to retain the CNN's high prediction accuracy. Concretely, RAIN consists of two complementary randomization modules: randomized small circular shift (RdmSCS) and randomized down-upsampling (RdmDU). The \emph{RdmDU} module first randomly downsamples the input image. Then, the \emph{RdmSCS} module circularly shifts the input image along a randomly chosen direction by a small but random number of pixels. Finally, the RdmDU module performs upsampling with a high-performance super-resolution model, such as the EDSR, to reconstruct an image with rich details, since an empirical study we conduct reveals that the loss of high-frequency components in input images leads to a drop in the accuracy of a classifier. We conduct extensive experiments on the STL10 and ImageNet datasets to verify the effectiveness of RAIN. Our numerical results show that RAIN outperforms several state-of-the-art methods in both robustness and prediction accuracy.