Adversarial training (AT) incurs significant computational overhead, leading to growing interest in designing inherently robust architectures. We demonstrate that a carefully designed first layer of the neural network can serve as an implicit adversarial noise filter (ANF). This filter is created using a combination of large kernel size, increased convolution filters, and a maxpool operation. We show that integrating this filter as the first layer in architectures such as ResNet, VGG, and EfficientNet results in adversarially robust networks. Our approach achieves higher adversarial accuracies than existing natively robust architectures without AT and is competitive with adversarial-trained architectures across a wide range of datasets. Supporting our findings, we show that (a) the decision regions for our method have better margins, (b) the visualized loss surfaces are smoother, (c) the modified peak signal-to-noise ratio (mPSNR) values at the output of the ANF are higher, (d) high-frequency components are more attenuated, and (e) architectures incorporating ANF exhibit better denoising in Gaussian noise compared to baseline architectures. Code for all our experiments are available at \url{https://github.com/janani-suresh-97/first-line-defence.git}.

翻译：对抗训练（AT）会带来显著的计算开销，这促使人们日益关注设计具有内在鲁棒性的网络架构。我们证明，神经网络中一个经过精心设计的首层可以充当隐式的对抗噪声滤波器（ANF）。该滤波器通过结合使用大卷积核尺寸、增加卷积滤波器数量以及最大池化操作来构建。我们展示了将此类滤波器作为ResNet、VGG和EfficientNet等架构的首层集成后，能够形成具有对抗鲁棒性的网络。我们的方法在无需对抗训练的情况下，获得了比现有原生鲁棒架构更高的对抗准确率，并且在多种数据集上与经过对抗训练的架构性能相当。为支持我们的发现，我们证明了：（a）本方法所对应的决策区域具有更好的边界裕度；（b）可视化的损失曲面更为平滑；（c）ANF输出端的修正峰值信噪比（mPSNR）值更高；（d）高频成分得到更强的衰减；（e）与基线架构相比，集成了ANF的架构在高斯噪声下表现出更好的去噪效果。我们所有实验的代码均公开于 \url{https://github.com/janani-suresh-97/first-line-defence.git}。