Building upon Randomized Discretization, we develop two novel adversarial
defenses against white-box PGD attacks, utilizing vector quantization in higher
dimensional spaces. These methods, termed pRD and swRD, not only offer a
theoretical guarantee in terms of certified accuracy, they are also shown, via
abundant experiments, to perform comparably or even superior to the current art
of adversarial defenses. These methods can be extended to a version that allows
further training of the target classifier and demonstrates further improved
performance.

利用高维向量量化的随机离散化方法，提出了两种新的对抗性防御方法 pRD 和 swRD。这些方法不仅在保证证明准确性方面具有理论保证，而且通过大量实验结果表明，它们的性能相当，甚至优于当前艺术的对抗性防御。这些方法可以扩展到允许目标分类器进一步训练，并且表现出更好的性能。

基于向量量化的对抗性防御

Adversarial Defenses via Vector Quantization

Adversarial perturbations dramatically decrease the accuracy of
state-of-the-art image classifiers. In this paper, we propose and analyze a
simple and computationally efficient defense strategy: inject random Gaussian
noise, discretize each pixel, and then feed the result into any pre-trained
classifier. Theoretically, we show that our randomized discretization strategy
reduces the KL divergence between original and adversarial inputs, leading to a
lower bound on the classification accuracy of any classifier against any
(potentially whitebox) $\ell_\infty$-bounded adversarial attack. Empirically,
we evaluate our defense on adversarial examples generated by a strong iterative
PGD attack. On ImageNet, our defense is more robust than adversarially-trained
networks and the winning defenses of the NIPS 2017 Adversarial Attacks &
Defenses competition.

本文提出采用随机离散化和高斯噪声注入的简单有效防御策略，可以显著提高对抗攻击下的图像分类器准确性，相比于其他对抗训练，以及 NIPS 2017 中获胜的防御方法，在 ImageNet 数据集上表现更优。