Compressive Recovery Defense: Defending Neural Networks Against ℓ2, ℓ, and ℓ0 Norm Attacks

Publication Date


Document Type

Conference Proceeding

Publication Title

2020 International Joint Conference on Neural Networks (IJCNN)




We consider the problem of defending neural networks against adversarial inputs. In particular, we extend the framework introduced in [1] to defend neural networks against l2, l∞, and l0 norm attacks. We call this defense framework Compressive Recovery Defense (CRD) as it utilizes recovery algorithms from the theory of compressive sensing. For defending against l2-norm and l0-norm attacks, we use Basis Pursuit (BP) as the recovery algorithm and for the case of l∞-norm attacks, we utilize the Dantzig Selector (DS) with a novel constraint. For each recovery algorithm used, we provide rigorous recovery guarantees that do not depend on the noise generating mechanism and can therefore be utilized by CRD against any l2, l∞, or l0 norm attacks. Finally, we experimentally demonstrate that CRD is effective in defending neural networks against state of the art l2, l∞ and l0-norm attacks.


Mathematics and Statistics