It has been recently discovered that adversarially trained classifiers exhibit an intriguing property, referred to as perceptually aligned gradients (PAG). PAG implies that the gradients of such classifiers possess a meaningful structure, aligned with human perception. Adversarial training is currently the best-known way to achieve classification robustness under adversarial attacks. The PAG property, however, has yet to be leveraged for further improving classifier robustness. In this work, we introduce Classifier Robustness Enhancement Via Test-Time Transformation (TETRA) -- a novel defense method that utilizes PAG, enhancing the performance of trained robust classifiers. Our method operates in two phases. First, it modifies the input image via a designated targeted adversarial attack into each of the dataset's classes. Then, it classifies the input image based on the distance to each of the modified instances, with the assumption that the shortest distance relates to the true class. We show that the proposed method achieves state-of-the-art results and validate our claim through extensive experiments on a variety of defense methods, classifier architectures, and datasets. We also empirically demonstrate that TETRA can boost the accuracy of any differentiable adversarial training classifier across a variety of attacks, including ones unseen at training. Specifically, applying TETRA leads to substantial improvement of up to $+23\%$, $+20\%$, and $+26\%$ on CIFAR10, CIFAR100, and ImageNet, respectively.

翻译：近期研究发现，对抗训练后的分类器展现出一种称为感知对齐梯度（PAG）的显著特性。PAG表明此类分类器的梯度具有与人类感知相吻合的有意义结构。目前，对抗训练是实现分类器在对抗攻击下鲁棒性的最佳已知方法。然而，PAG特性尚未被用于进一步提升分类器鲁棒性。本文提出基于测试时变换的分类器鲁棒性增强方法（TETRA）——一种利用PAG的新型防御机制，可增强已训练鲁棒分类器的性能。该方法分为两个阶段运作：首先，通过定向对抗攻击将输入图像修改为数据集中每个类别的对应实例；随后，基于修改后实例与输入图像的距离进行分类，假设最短距离对应的即为真实类别。实验证明，该方法在多种防御策略、分类器架构及数据集上均达到当前最优性能。我们通过大量实验验证，TETRA可提升任意可微对抗训练分类器在各类攻击（包括训练时未见攻击）下的准确率。具体而言，应用TETRA后，在CIFAR10、CIFAR100和ImageNet数据集上分别实现高达+23%、+20%和+26%的显著提升。