8.6 Susceptibility to adversarial input
In Chapter 3, Fundamentals of Deep Learning, we saw that we could fool a CNN by slightly perturbing the input pixels of an image. A picture that clearly looked like a cat was predicted as a dog with high confidence. The adversarial attack that we created (FSGM) is one of the many adversarial attacks that exist, and BDL might offer some protection against these attacks. Let’s see how that works in practice.
Step 1: Model training
Instead of using a pre-trained model, as in Chapter 3, Fundamentals of Deep Learning, we train a model from scratch. We use the same train and test data from Chapter 3, Fundamentals of Deep Learning – see that chapter for instructions on how to load the dataset. As a reminder, the dataset is a relatively small dataset of cats and dogs. We first define our model. We use a VGG-like architecture but add dropout after every MaxPooling2D
layer:
def conv_block(filters):
...