US Patent 10984272 Defense against adversarial attacks on neural networks

A neural network is trained to defend against adversarial attacks, such as by preparing an input image for classification by a neural network where the input image includes a noise-based perturbation. The input image is divided into source patches. Replacement patches are selected for the source patches by searching a patch library for candidate patches available for replacing ones of those source patches, such as based on sizes of those source patches. A denoised image reconstructed from a number of replacement patches is then output to the neural network for classification. The denoised image may be produced based on reconstruction errors determined for individual candidate patches identified from the patch library. Alternatively, the denoised image may be selected from amongst a number of candidate denoised images. A set of training images is used to construct the patch library, such as based on salient data within patches of those training images.