Current Deep Neural Networks are vulnerable to adversarial examples, which alter their predictions by adding carefully crafted noise. Since human eyes are robust to such inputs, it is possible that the vulnerability stems from the standard way of processing inputs in one shot by processing every pixel with the same importance. In contrast, neuroscience suggests that the human vision system can differentiate salient features by (1) switching between multiple fixation points (saccades) and (2) processing the surrounding with a non-uniform external resolution (foveation). In this work, we advocate that the integration of such active vision mechanisms into current deep learning systems can offer robustness benefits. Specifically, we empirically demonstrate the inherent robustness of two active vision methods - GFNet and FALcon - under a black box threat model. By learning and inferencing based on downsampled glimpses obtained from multiple distinct fixation points within an input, we show that these active methods achieve (2-3) times greater robustness compared to a standard passive convolutional network under state-of-the-art adversarial attacks. More importantly, we provide illustrative and interpretable visualization analysis that demonstrates how performing inference from distinct fixation points makes active vision methods less vulnerable to malicious inputs.

翻译：当前深度神经网络易受对抗样本的攻击，这些样本通过添加精心设计的噪声改变模型预测。由于人眼对此类输入具有鲁棒性，这种脆弱性可能源于标准的一次性处理方式——以同等重要性处理所有像素。相比之下，神经科学表明，人类视觉系统能够通过以下方式区分显著特征：（1）在多个注视点之间切换（扫视运动）和（2）以非均匀的外部分辨率处理周围区域（中央凹成像）。本文主张将此类主动视觉机制整合到当前深度学习系统中可带来鲁棒性优势。具体而言，我们通过黑盒威胁模型实证证明了两种主动视觉方法——GFNet和FALcon——的固有鲁棒性。实验表明，基于输入中多个不同注视点获取的下采样瞥视进行学习与推理时，这些主动方法在最先进的对抗攻击下比标准被动卷积网络鲁棒性提升（2-3）倍。更重要的是，我们提供了具象化、可解释的可视化分析，揭示了从不同注视点执行推理如何使主动视觉方法对恶意输入更不敏感。