Test-Time Defense Against Adversarial Attacks via Stochastic Resonance of Latent Ensembles

We propose a test-time defense mechanism against adversarial attacks: imperceptible image perturbations that significantly alter the predictions of a model. Unlike existing methods that rely on feature filtering or smoothing, which can lead to information loss, we propose to "combat noise with noise" by leveraging stochastic resonance to enhance robustness while minimizing information loss. Our approach introduces small translational perturbations to the input image, aligns the transformed feature embeddings, and aggregates them before mapping back to the original reference image. This can be expressed in a closed-form formula, which can be deployed on diverse existing network architectures without introducing additional network modules or fine-tuning for specific attack types. The resulting method is entirely training-free, architecture-agnostic, and attack-agnostic. Empirical results show state-of-the-art robustness on image classification and, for the first time, establish a generic test-time defense for dense prediction tasks, including stereo matching and optical flow, highlighting the method's versatility and practicality. Specifically, relative to clean (unperturbed) performance, our method recovers up to 68.1% of the accuracy loss on image classification, 71.9% on stereo matching, and 29.2% on optical flow under various types of adversarial attacks. Most deep neural networks in use today are deterministic maps from a fixed-size input to a fixed-size feature vector. In either case, the output vector is often highly sensitive to perturbations of the input, and one can intentionally choose these imperceptible perturbations adversarially so as to maximize the change in the output Goodfellow et al. (2014). In some cases, the same perturbation can even be disruptive for a large number of possible inputs Moosavi-Dezfooli et al. (2017), exploiting the convoluted geometry of the decision boundary imposed by such trained models Tram ` er et al. (2017). This spurious sensitivity could be exploited adversarially to disrupt the operation of a model.