Deep Neural Networks (DNNs) have been proven vulnerable to adversarial perturbations, which narrow their applications in safe-critical scenarios such as video surveillance and autonomous driving. To counter this threat, a very recent line of adversarial defense methods is proposed to increase the uncertainty of DNNs via injecting random noises in both the training and testing process. Note the existing defense methods usually inject noises uniformly to DNNs. We argue that the magnitude of noises is highly correlated with the response of corresponding features and the randomness on important feature spots can further weaken adversarial attacks. As such, we propose a new method, namely AdaNI, which can increase feature randomness via Adaptive Noise Injection to improve the adversarial robustness. Compared to existing methods, our method creates non-unified random noises guided by features and then injects them into DNNs adaptively. Extensive experiments are conducted on several datasets (e.g., CIFAR10, CIFAR100, Mini-ImageNet) with comparisons to state-of-the-art defense methods, which corroborates the efficacy of our method against a variety of powerful white-box attacks (e.g., FGSM, PGD, C&W, Auto Attack) and black-box attacks (e.g., Transferable, ZOO, Square Attack). Moreover, our method is adapted to improve the robustness of DeepFake detection to demonstrate its applicability.

深度神经网络（DNN）已被证明容易受到对抗性扰动的影响，这限制了它们在视频监控和自动驾驶等安全关键场景中的应用。为了应对这种威胁，最近提出了一系列对抗性防御方法，通过在训练和测试过程中注入随机噪声来增加 DNN 的不确定性。请注意，现有的防御方法通常向 DNN 统一注入噪声。我们认为噪声的大小与相应特征的响应高度相关，重要特征点的随机性可以进一步削弱对抗性攻击。因此，我们提出了一种新方法，即AdaNI ，它可以通过自适应噪声注入来增加特征随机性，从而提高对抗鲁棒性。与现有方法相比，我们的方法创建由特征引导的非统一随机噪声，然后自适应地将它们注入到 DNN 中。在多个数据集（例如，CIFAR10、CIFAR100、Mini-ImageNet）上进行了广泛的实验，并与最先进的防御方法进行了比较，这证实了我们的方法针对各种强大的白盒攻击（例如， FGSM、PGD、C&W、自动攻击）和黑盒攻击（例如，Transferable、ZOO、Square Attack）。此外，我们的方法还进行了改进，以提高 DeepFake 检测的鲁棒性，以证明其适用性。