Improving Adversarial Robustness via Activation Amplification and Attenuation

The existence of adversarial attacks is often attributed to the presence of non-robust features in neural networks.

While prior defenses reduce their impact via pruning, masking, or feature recalibration, we instead propose to jointly learn to amplify and attenuate these signals through a simple activation scaling mechanism.

To this end, we introduce Activation Amplification and Attenuation (A3), a lightweight plug-in module that enhances adversarial robustness with minimal modifications of the activations.

A3 dynamically rescales the activations using a learnable mask and a scaling factor derived from the original activation magnitudes.

The influence of adversarial perturbations can be amplified or attenuated using the same learnable parameters by simply flipping the sign of the scaling operation.

The amplified signals serve as negative references to construct novel contrastive and ranking loss functions.

Experimental analysis shows that learning to degrade the predictions in amplification mode simultaneously improves adversarial robustness in attenuation mode.

Moreover, A3 relies on only a small number of learnable parameters, with most of its behavior being determined by the scaling mechanism rather than additional network capacity.

Extensive experiments demonstrate that integrating A3 into different backbones, datasets, and training methods consistently improves adversarial robustness while introducing negligible computational and memory overhead compared to existing plug-in modules.

Code is available at: this https URL.