Adversarial examples for deep learning based methods have been demonstrated for different problems (Szegedy et al., 2013; Kurakin et al., 2016; Cisse et al., 2017a; Eykholt et al., 2017; Xiao et al., 2018). It has been shown that with minute perturbations, these networks can be made to produce unexpected results. Unfortunately, these perturbations can be obtained very easily. There has been plethora of work to defend against these attacks as well (Madry et al., 2017; Tram`er et al., 2017; Athalye et al., 2018; Wong et al., 2018; Jang et al., 2019a; Jiang et al., 2018; Xu et al., 2017; Schmidt et al., 2018). Recently, (Antun et al., 2019; Choi et al., 2019) introduced adversarial attacks on image reconstruction networks. In this work, we propose an adversarial training scheme for image reconstruction deep networks to provide robustness.

Image reconstruction involving the recovery of an image from indirect measurements is used in many applications, including critical applications such as medical imaging, e.g., Magnetic Resonance Imaging (MRI), Computerised Tomography (CT) etc. Such applications demand the reconstruction to be stable and reliable. On the other hand, in order to speed up the acquisition, reduce sensor cost, or reduce radiation dose, it is highly desirable to subsample the measurement data, while still recovering the original image. This is enabled by the compressive sensing (CS) paradigm (Candes et al., 2006; Donoho, 2006). CS involves projecting a high dimensional, signal to a lower dimensional measurement , using a small set of linear, non-adaptive frames. The noisy measurement model is:

where A is the measurement matrix. The goal is to recover the unobserved natural image x, from the compressive measurement y. Although the problem with is severely ill-posed and does not have a unique solution, CS achieves nice, stable solutions for a special class of signals x - those that are sparse or sparsifiable, by using sparse regularization techniques (Candes et al., 2006; Donoho, 2006; Elad & Aharon, 2006; Dong et al., 2011; Wen et al., 2015; Liu et al., 2017; Dabov et al., 2009; Yang et al., 2010; Elad, 2010; Li et al., 2009; Ravishankar & Bresler, 2012).

Recently, deep learning based methods have also been proposed as an alternative method for performing image recon- struction (Zhu et al., 2018; Jin et al., 2017; Schlemper et al., 2017; Yang et al., 2017; Hammernik et al., 2018). While these methods have achieved state-of-the-art (SOTA) performance, the networks have been found to be very unstable (Antun et al., 2019), as compared to the traditional methods. Adversarial perturbations have been shown to exist for such networks, which can degrade the quality of image reconstruction significantly. (Antun et al., 2019) studies three types of instabilities: (i) Tiny (small norm) perturbations applied to images that are almost invisible in the original images, but cause a significant distortion in the reconstructed images. (ii) Small structural changes in the original images, that get removed from the reconstructed images. (iii) Stability with increasing the number of measurement samples. We try to address instability (i) above.

In this paper, we argue that studying the instability for image reconstruction networks in the x-space as addressed by (Antun et al., 2019) is sub-optimal and instead, we should consider perturbations in the measurement, y-space. To improve robustness, we modify the training strategy: we introduce an auxiliary network to generate adversarial examples on the fly, which are used in a min-max formulation. This results in an adversarial game between two networks while training, similar to the Generative Adversarial Networks (GANs) (Goodfellow et al., 2014; Arjovsky et al., 2017). However, since the goal here is to build a robust reconstruction network, we make some changes in the training strategy compared to GANs.

Our theoretical analysis for a special case of a linear reconstruction scheme shows that the min-max formulation results in a singular-value filter regularized solution, which suppresses the effect of adversarial examples. Our experiment using the min-max formulation with a learned adversarial example generator for a linear reconstruction network shows that the network indeed converges to the solution obtained theoretically. For a complex non-linear deep network, our experiments show that training using the proposed formulation results in more robust network, both qualitatively and quantitatively, compared to other methods. Further, we experimented and analyzed the reconstruction for two different measurement matrices, one well-conditioned and another relatively ill-conditioned. We find that the behavior in the two cases is qualitatively different.

2.1. Adversarial Training

One of the most powerful methods for training an adversarially robust network is adversarial training (Madry et al., 2017; Tram`er et al., 2017; Sinha et al., 2017; Arnab et al., 2018). It involves training the network using adversarial examples, enhancing the robustness of the network to attacks during inference. This strategy has been quite effective in classification settings, where the goal is to make the network output the correct label corresponding to the adversarial example.

Standard adversarial training involves solving the following min-max optimization problem:

where represents the applicable loss function, e.g., cross-entropy for classification, and is the perturbation added to each sample, within an -norm ball of radius

This min-max formulation encompasses possible variants of adversarial training. It consists of solving two optimization problems: an inner maximization and an outer minimization problem. This corresponds to an adversarial game between the attacker and robust network f. The inner problem tries to find the optimal for a given data point (x, y) maximizing the loss, which essentially is the adversarial attack, whereas the outer problem aims to find a ing the same loss. For an optimal solving the equation 2, then will be robust (in expected value) to all the lying in the -norm ball around the true x.

2.2. Problem Formulation

(Antun et al., 2019) identify instabilities of a deep learning based image reconstruction network by maximizing the following cost function:

As evident from this framework, the perturbation r is added in the x-space for each y, resulting in perturbation Ar in the y-space. We argue that this formulation can miss important aspects in image reconstruction, especially in ill-posed problems, for the following three main reasons:

1. It may not be able to model all possible perturbations to y. The perturbations modeled in this formulation are all constrained to the range-space of A. When A does not have full row rank, there exist perturbations to y that cannot be represented as

2. It misses instabilities created by the ill-conditioning of the reconstruction problem. Consider a simple ill-conditioned reconstruction problem:

where A and f define the forward and reconstruction operator respectively, and . For perturbation in x, the reconstruction is , and the reconstruction error is , that is, for small , the perturbation has

negligible effect. In contrast, for the same perturbation , the reconstruction is with reconstruction error , which can be arbitrarily large if . This aspect is completely missed by the formulation based on (3).

3. For inverse problems, one also wants robustness to perturbations in the measurement matrix A. Suppose A used in training is slightly different from the actual that generates the measurements. This results in perturbation in y-space, which may be outside the range space of A, and therefore, as in 1 above, may not be possible to capture by the formulation based on (3).

The above points indicate that studying the problem of robustness to perturbations for image reconstruction problems in x-space misses possible perturbations in y-space that can have a huge adversarial effect on reconstruction. Since many of the image reconstruction problems are ill-posed or ill-conditioned, we formulate and study the issue of adversaries in the y-space, which is more generic and able to handle perturbations in the measurement operator A as well.

2.3. Image Reconstruction

Image Reconstruction deals with recovering the clean image x from noisy and possibly incomplete measurements y = Ax + v. Recently, deep-learning-based approaches have outperformed the traditional techniques. Many deep learning architectures are inspired by iterative reconstruction schemes (Rick Chang et al., 2017; Raj et al., 2019; Bora et al., 2017; Wen et al., 2019). Another popular way is to use an end-to-end deep network to solve the image reconstruction problem directly (Jin et al., 2017; Zhu et al., 2018; Schlemper et al., 2017; Yang et al., 2017; Hammernik et al., 2018; Sajjadi et al., 2017; Yao et al., 2019). In this work, we propose modification in the training scheme for the end-to-end networks.

Consider the standard MSE loss in x-space with the popular -regularization on the weights (aka weight decay), which mitigates overfitting and helps in generalization (Krogh & Hertz, 1992)

In this paper, we experiment both with (regularization present) and (no regularization). No regularization is used in the sequel, unless stated otherwise.

2.3.1. ADVERSARIAL TRAINING FOR IMAGE RECONSTRUCTION

Motivated by the adversarial training strategy (2), several frameworks have been proposed recently to make classifi-cation by deep networks more robust (Jang et al., 2019b; Kurakin et al., 2016; Wang & Yu, 2019). For image reconstruction, we propose to modify the training loss to the general form

The role of the first term is to ensure that the network f maps the non-adversarial measurement to the true x, while the role of the second term is to train f on worst-case adversarial examples within the -norm ball around the nominal measurement Ax. We want to be the worst case perturbation for a given f. However, during the initial training epochs, f is mostly random (assuming random initialization of the weights) resulting in random perturbation, which makes f diverge. Hence we need only the first term during initial epochs to get a decent f that provides reasonable reconstruction. Then, reasonable perturbations are obtained by activating the second term, which results in robust f.

Now, solving the min-max problem above is intractable for a large dataset as it involves finding the adversarial example, which requires to solve the inner maximization for each y = Ax. This may be done using projected gradient descent (PGD), but is very costly. A possible sub-optimal approximation (with p = 2) for this formulation is:

This formulation finds a common which is adversarial to each measurement y and tries to minimize the reconstruction loss for the adversarial examples together with that for clean examples. Clearly this is sub-optimal as using a perturbation common to all y’s need not be the worst-case perturbation for any of the y’s, and optimizing for the common won’t result in a highly robust network. Ideally, we would want the best of both worlds: i.e., to generate independently, together with tractable training. To this end, we propose to parameterize the worst-case perturbation by a deep neural network . This also eliminates the need of solving the inner-maximization to find using hand-designed methods. Since is parameterized by and takes y as input, a well-trained G will result in optimal perturbation for the given y = Ax. The modified loss function becomes:

This results in an adversarial game between the two networks: G and f, where G’s goal is to generate strong adversarial examples that maximize the reconstruction loss for the given f, while f tries to make itself robust to the adversarial examples generated by the G. This framework is illustrated in the Fig. 1. This min-max setting is quite similar to the Generative adversarial network (GAN), with the difference in the objective function. Also, here, the main goal is to build an adversarially robust f, which requires some empirical changes compared to standard GANs to make it work. Another change is to reformulate the constraint into a penalty form using the hinge loss, which makes the training more tractable:

Note that must be negative to satisfy the required constraint

Figure 1. Adversarial training framework of image reconstruction network f, jointly with another network G, generating the additive perturbations

2.3.2. TRAINING STRATEGY

We apply some modifications and intuitive changes to train a robust f jointly with training G in a mini-batch set-up. At each iteration, we update G to generate adversarial examples and train f using those adversarial examples along with the non-adversarial or clean samples to make it robust. Along with the training of robust f, G is being trained to generate worst-case adversarial examples. To generate strong adversarial examples by G in the mini-batch update, we divide each mini-batch into K sets. Now, G is trained over each set independently and we use adversarial examples after the update of G for each set. This fine-tunes G for the small set to generate stronger perturbations for every image belonging to the set. Then, f is trained using the entire mini-batch at once but with the adversarial examples generated set-wise. G obtained after the update corresponding to the passed for the next iteration or mini-batch update. This is described in Algorithm 1.

2.4. Robustness Metric

We define a metric to compare the robustness of different networks. We measure the following quantity for network

This determines the reconstruction error due to the worst-case additive perturbation over an -ball around the nominal

measurement for each image . The final robustness metric for estimate by the sample average of over a test dataset,

The smaller , the more robust the network.

We solve the optimization problem in (8) using projected gradient ascent (PGA) with momentum (with parameters selected empirically). Importantly, unlike training, where computation of is required at every epoch, we need to solve (8) only once for every sample in the test set, making this computation feasible during testing.

We theoretically obtained the optimal solution for the min-max formulation in (6) for a simple linear reconstruction. Although this analysis doesn’t extend easily to the non-linear deep learning based reconstruction, it gives some insights for the behavior of the proposed formulation and how it depends on the conditioning of the measurement matrices.

Theorem 1. Suppose that the reconstruction network f is a one-layer feed-forward network with no non-linearity i.e., f = B, where matrix B has SVD: . Denote the SVD of the measurement matrix A by A = is a diagonal matrix with singular values in permuted (increasing) order, and assume that the data is normalized, i.e., E(x) = 0 and cov(x) = I. Then the optimal B obtained by solving (6) is a modified pseudoinverse of A, with M = V , P = U and Q a filtered inverse

of S, given by the diagonal matrix

with largest entry of multiplicity m that depends on and

Proof. Please refer to the appendix A for the proof.

The modified inverse B reduces the effect of ill-conditioning in A for adversarial cases in the reconstruction. This can be easily understood, using the simple example from the equation 4. As explained previously, for the A in (4) with |r| < 1, an exact inverse, f =

Instead the min-max formulation (6) (with ) results in a modified pseudo inverse

the effect of an adversarial perturbation in y as for and . It can also be seen that won’t be optimal the for the unperturbed y as it’s not actual an inverse and reconstruction loss using f for unperturbed case would be smaller than that for for even very small adversaries, f would be much more sensitive than . It shows the trade-off between the perturbed and unperturbed case for the reconstruction in the case of ill-conditioned A.

This trade-off behavior will not manifest for a well-conditioned, as an ideal linear inverse f for this case won’t amplify the small perturbations and a reconstruction obtained using (6) with linear will be very close to f (depending on ): for well-conditioned . In that case , which reduces

Our experiments with deep-learning-based non-linear image reconstruction methods for CS using as sensing matrices random rows of a Gaussian matrix (well-conditioned) vs. random rows of a DCT matrix (relatively ill-conditioned) indeed show the qualitatively different behavior with increasing amount of perturbations.

Network Architecture: For the reconstruction network f, we follow the architecture of deep convolutional networks for image reconstruction. They use multiple convolution, deconvolution and ReLU layers, and use batch normalization and dropout for better generalization. As a pre-processing step, which has been found to be effective for reconstruction, we apply the transpose (adjoint) of A to the measurement y, feeding to the network. This transforms the measurement into the image-space, allowing the network to operate purely in image space.

For the adversarial perturbation generator G we use a standard feed-forward network, which takes input y as input. The network consists of multiple fully-connected and ReLU layers. We trained the architecture shown in fig. 1 using the objective defined in the (7).

We designed networks of similar structure but different number of layers for the two datasets, MNIST and CelebA used in the experiments.

We used the Adam Optimizer with , learning rate of and mini-batch size of 128, but divided into K = 4 parts during the update of G, described in the algorithm 1. During training, the size of the perturbation has to be neither too big (affects performance on clean samples) nor too small (results in less robustness). We empirically picked for MNIST and for the CelebA datasets. However, during testing, we evaluated , defined in (9) for different ’s (including those not used while training), to obtain a fair assessment of robustness.

We compare the adversarially trained model using the min-max formulation defined in the objective 7, with three models trained using different training schemes:

1. Normally trained model with no regularization, i.e.,

2. -norm weight regularized model, using (5) with (aka weight decay), chosen empirically to avoid over-fitting and improve robustness and generalization of the network.

3. Lipschitz constant (L)-constrained Parseval network (Cisse et al., 2017b). The idea is to constrain the overall Lipschitz constant L of the network to be , by making L of every layer, . Motivated by the idea that regularizing the spectral norm of weight matrices could help in the context of robustness, this approach proposes to constrain the weight matrices to also be orthonormal, making them Parseval tight frames. Let define the set of indices for fully-connected and convolutional layers respectively. The regularization term to penalize the deviation from the constraint is

(11) where is the weight matrix for ith fully connected layer and is the transformed or unfolded weight matrix of jth convolution layer having kernel size . This transformation requires input to the convolution to shift and repeat times. Hence, to maintain the Parseval tight frames constraint on the convolution operator, we need to make . and are identity matrices whose sizes depend on the size of and respectively. controls the weight given to the regularization compared to the standard

Figure 2. Qualitative Comparison for the MNIST dataset for different perturbations. First row of each sub-figure corresponds to the true image, Second row to the reconstruction using normally trained model, Third row to the reconstruction using Parseval Network, Fourth row to the reconstruction using the adversarially trained model (proposed scheme).

reconstruction loss. Empirically, we picked to be

To compare different training schemes, we follow the same scheme (described below) for each datasets. Also, we extensively compare the performance for the two datasets for Compressive Sensing (CS) task using two matrices: one well-conditioned and another, relatively ill-conditioned. This comparison complements the theoretical analysis, discussed in the previous section.

The MNIST dataset (LeCun et al., 1998) consists of gray-scale images of digits with 50, 000 training and 10, 000 test samples. The image reconstruction network consists of 4 convolution layers and 3 transposed convolution layers using re-scaled images between . For the generator G, we used 5 fully-connected layers network. Empirically, we found and in (7), gave the best performance in terms of robustness (lower ) for different perturbations.

The CelebA dataset (Liu et al., 2015) consists of more than 200, 000 celebrity images. We use the aligned and cropped version, which pre-processes each image to a size of and scaled between . We randomly pick 160, 000 images for the training. Images from the 40, 000 held-out set are used for evaluation. The image reconstruction network consists of 6 convolution layers and 4 transposed convolution layers. For the generator G, we used a 6 fully-connected layers network. We found and in (7) gave the best robustness performance

(lower ) for different perturbations.

4.1. Gaussian Measurement matrix

In this set-up, we use the same measurement matrix A as (Bora et al., 2017; Raj et al., 2019), i.e. where m is the number of measurements. For MNIST, the measurement matrix for CelebA, , with m = 1000. Figures 2 and 3 show the qualitative comparisons for the MNIST and CelebA reconstructions respectively, by solving the optimization described in Section 2.4. It can be seen clearly in both the cases that for different the adversarially trained models outperform the normally trained and Parseval networks. For higher ’s, the normally trained and Parseval models generate significant artifacts, which are much less for the adversarially trained models. Figures Fig. 4a and Fig. 4b show this improvement in performance in terms of the quantitative metric , defined in (9) for the MNIST and CelebA datasets respectively. It can be seen that is lower for the adversarially-trained models compared to other training methods: no regularization, -norm regularization on weights, and Parseval networks (Lipschitz-constant-regularized) for different ’s, showing that adversarial training using the proposed min-max formulation indeed outperforms other approaches in terms of robustness. It is noteworthy that even for , adversarial training reduces the reconstruction loss, indicating that it acts like an excellent regularizer in general.

Figure 3. Qualitative Comparison for the CelebA dataset for different perturbations. First row of each sub-figure corresponds to the true image, Second row to the reconstruction using normally trained model, Third row to the reconstruction using Parseval Network, Fourth row to the reconstruction using the adversarially trained model (proposed scheme).

4.2. Discrete Cosine Transform (DCT) matrix

To empirically study the effect of conditioning of the matrix, we did experiment by choosing A as random m rows and n columns of a DCT matrix, where p > n. This makes A relatively more ill-conditioned than the random Gaussian A, i.e. the condition number for the random DCT matrix is higher than that of random Gaussian one. The number of measurements has been kept same as the previous case, i.e. (m = 100, n = 784) for MNIST and (m = 1000, n = 12288) for CelebA. We trained networks having the same configuration as the Gaussian ones. Fig. 4 shows the comparison for the two measurement matrices. Based on the figure, we can see that for the DCT, MNIST (Fig. 4d) and CelebA (Fig. 4e), are very close for models trained adversarially and using other schemes for the unperturbed case (), but the gap between them increases with increasing ’s, with adversarially trained models outperforming the other methods consistently. This behavior is qualitatively different from that for the Gaussian case (Fig. 4a and Fig. 4b), where the gap between adversarially trained networks and models trained using other (or no) regularizers is roughly constant for different

4.3. Analysis with respect to Conditioning

To check the conditioning, Fig.4c shows the histogram for the singular values of the random Gaussian matrices. It can be seen that the condition number (ratio of maximum and minimum singular value) is close to 2 which is very well conditioned for both data sets. On the other hand, the histogram of the same for the random DCT matrices (Fig.4f) shows higher condition numbers – 8.9 for the and dimension matrices, which is ill-conditioned relative to the Gaussian ones.

Refering to the above analysis of conditioning and plots of the robustness measure for the two types of matrices: random Gaussian vs. random DCT indicate that the performance and behavior of the proposed min-max formulation depends on how well (or relatively ill)-conditioned the matrices are. This corroborates with the theoretical analysis for a simple reconstruction scheme (linear network) described in Sec. 3.

4.4. Linear Network for Reconstruction

We perform an experiment using a linear reconstruction network in a simulated set-up to compare the theoretically obtained optimal robust reconstruction network with the one learned by our scheme by optimizing the objective (6).

Figure 4. Row 1 corresponds to the random rows of Gaussian measurement matrix: (a) MNIST, (b) CelebA, (c) Distribution of the singular values for MNIST (left, m = 100) and CelebA (right, m = 1000) cases. Row 2 corresponds to random rows of the DCT measurement matrix: (a) MNIST, (b) CelebA, (c) Distribution of the singular values for MNIST (left, m = 100) and CelebA (right, m = 1000) cases.

We take 50, 000 samples of a signal drawn from N(0, I), hence, E(x) = 0 and cov(x) = I. For the measurement matrix , we follow the same strategy as in Sec. 4.1, i.e. . Since such matrices are well-conditioned, we replace 2 singular values of A by small values (one being and another, ) keeping other singular values and singular matrices fixed. This makes the modified matrix ill-conditioned. We obtain the measurements . For reconstruction, we build a linear network f having 1 fully-connected layer with no non-linearity i.e. . The reconstruction is given by is obtained from:

We have used , learning rate = 0.001 and momentum term as 0.9 in our experiments. We obtain the theoretically derived reconstruction B using the result given in (10) (from theorem 1). To compare B and , we examined the following three metrics:

, where I is the identity matrix of size

• : condition number

The above three metrics indicate that indeed converges to the theoretically obtained solution B.

In this work, we propose a min-max formulation to build a robust deep-learning-based image reconstruction models. To make this more tractable, we reformulate this using an auxiliary network to generate adversarial examples for which the image reconstruction network tries to minimize the reconstruction loss. We theoretically analyzed a simple linear network and found that using min-max formulation, it outputs singular-value(s) filter regularized solution which reduces the effect of adversarial examples for ill-conditioned matrices. Empirically, we found the linear network to converge to the same solution. Additionally, extensive experiments with non-linear deep networks for Compressive Sensing (CS) using random Gaussian and DCT measurement matrices on MNIST and CelebA datasets show that the proposed scheme outperforms other methods for different perturbations , however the behavior depends on the conditioning of matrices, as indicated by theory for the linear reconstruction scheme.

Proof of Theorem 1:

For the inverse problem of recovering the true x from the measurement y = Ax, goal is to design a robust linear recovery model given by

The min-max formulation to get robust model for a linear set-up:

Assuming, the dataset is normalized, i.e., E(x) = 0 and cov(x) = I. The above optimization problem becomes:

Since, , the above problem becomes:

Using SVD decomposition of and B = and Q is diagonal. Assume that G defines the set satisfying the constraints of is diagonal.

Since, only the second term is dependent on , maximizing the second term with respect to

We have since M is unitary. Given, Q is diagonal, can be maximized by having vector having all zeros except the location corresponding to the . Since, , again because P is unitary, so to maximize within the we will have where 1 is at the position. This makes the term to be:

Substituting the above term in equation 16:

For the above equation, only second term depends on M, minimizing the second term w.r.t. M keeping others fixed:

Since, this is a linear program with the quadratic constraint, relaxing the constraint from to won’t change the optimal point as the optimal point will always be at the boundary i.e.

Introducing the Lagrange multiplier matrix K for the constraint

Substituting and using stationarity of Lagrangian

Primal feasibility: . Optimal point at boundary

Because of the problem is convex, the local minima is the global minima which satisfies the two conditions: Stationarity of Lagrangian () and Primal feasibility (). By the choice of both these conditions are satisfied implying M = V is the optimal point.

Substituting M = V in equation 17, we get:

Denote the i-th column of by and suppose that entries in Q are in decreasing order and the largest entry , has multiplicity m, the equation 18 becomes:

If we consider the last term i.e. i > m, it can be minimized by setting which is equivalent to choose and . This makes the last term (= 0), using , making the equation 19 as:

The above term is upward quadratic in , minima w.r.t. will occur at , which will make the quadratic term as , which has to be minimized w.r.t C

Since . To maximize the term given by the equation 20, we can minimize the denominator by setting the term , which makes the matrix C as diagonal.

Divide the matrix U and P into two parts: one corresponding to and another i > m, where i represents the column-index of

Let and . From above, we have

Since, is diagonal, we have where is diagonal. Also, we have . Only way to satisfy this would be making which makes

P = U and C = I. It also results in

Hence, the resulting B would be of the form

Antun, V., Renna, F., Poon, C., Adcock, B., and Hansen, A. C. On instabilities of deep learning in image reconstruction-does ai come at a cost? arXiv preprint arXiv:1902.05300, 2019.

Arjovsky, M., Chintala, S., and Bottou, L. Wasserstein gan. arXiv preprint arXiv:1701.07875, 2017.

Arnab, A., Miksik, O., and Torr, P. H. On the robustness of semantic segmentation models to adversarial attacks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 888–897, 2018.

Athalye, A., Carlini, N., and Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv preprint arXiv:1802.00420, 2018.

Bora, A., Jalal, A., Price, E., and Dimakis, A. G. Com- pressed sensing using generative models. arXiv preprint arXiv:1703.03208, 2017.

Candes, E. J., Romberg, J. K., and Tao, T. Stable signal recovery from incomplete and inaccurate measurements. Communications on Pure and Applied Mathematics: A Journal Issued by the Courant Institute of Mathematical Sciences, 59(8):1207–1223, 2006.

Choi, J.-H., Zhang, H., Kim, J.-H., Hsieh, C.-J., and Lee, J.-S. Evaluating robustness of deep image super-resolution against adversarial attacks. In Proceedings of the IEEE International Conference on Computer Vision, pp. 303– 311, 2019.

Cisse, M., Adi, Y., Neverova, N., and Keshet, J. Houdini: Fooling deep structured prediction models. arXiv preprint arXiv:1707.05373, 2017a.

Cisse, M., Bojanowski, P., Grave, E., Dauphin, Y., and Usunier, N. Parseval networks: Improving robustness to adversarial examples. In Proceedings of the 34th International Conference on Machine Learning-Volume 70, pp. 854–863. JMLR. org, 2017b.

Dabov, K., Foi, A., Katkovnik, V., and Egiazarian, K. Bm3d image denoising with shape-adaptive principal component analysis. In SPARS’09-Signal Processing with Adaptive Sparse Structured Representations, 2009.

Dong, W., Zhang, L., Shi, G., and Wu, X. Image deblurring and super-resolution by adaptive sparse domain selection and adaptive regularization. IEEE Transactions on Image Processing, 20(7):1838–1857, 2011.

Donoho, D. L. Compressed sensing. IEEE Transactions on information theory, 52(4):1289–1306, 2006.

Elad, M. Sparse and redundant representations: from theory to applications in signal and image processing. Springer Science & Business Media, 2010.

Elad, M. and Aharon, M. Image denoising via sparse and redundant representations over learned dictionaries. IEEE Transactions on Image processing, 15(12):3736–3745, 2006.

Eykholt, K., Evtimov, I., Fernandes, E., Li, B., Rahmati, A., Xiao, C., Prakash, A., Kohno, T., and Song, D. Robust physical-world attacks on deep learning models. arXiv preprint arXiv:1707.08945, 2017.

Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., and Bengio, Y. Generative adversarial nets. In Advances in neural information processing systems, pp. 2672–2680, 2014.

Hammernik, K., Klatzer, T., Kobler, E., Recht, M. P., Sod- ickson, D. K., Pock, T., and Knoll, F. Learning a variational network for reconstruction of accelerated mri data. Magnetic resonance in medicine, 79(6):3055–3071, 2018.

Jang, Y., Zhao, T., Hong, S., and Lee, H. Adversarial de- fense via learning to generate diverse attacks. In The IEEE International Conference on Computer Vision (ICCV), October 2019a.

Jang, Y., Zhao, T., Hong, S., and Lee, H. Adversarial de- fense via learning to generate diverse attacks. In Proceedings of the IEEE International Conference on Computer Vision, pp. 2740–2749, 2019b.

Jiang, H., Chen, Z., Shi, Y., Dai, B., and Zhao, T. Learn- ing to defense by learning to attack. arXiv preprint arXiv:1811.01213, 2018.

Jin, K. H., McCann, M. T., Froustey, E., and Unser, M. Deep convolutional neural network for inverse problems in imaging. IEEE Transactions on Image Processing, 26 (9):4509–4522, 2017.

Krogh, A. and Hertz, J. A. A simple weight decay can im- prove generalization. In Advances in neural information processing systems, pp. 950–957, 1992.

Kurakin, A., Goodfellow, I., and Bengio, S. Adversarial ma- chine learning at scale. arXiv preprint arXiv:1611.01236, 2016.

LeCun, Y., Bottou, L., Bengio, Y., and Haffner, P. Gradient- based learning applied to document recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998.

Li, C., Yin, W., and Zhang, Y. Users guide for tval3: Tv minimization by augmented lagrangian and alternating direction algorithms. CAAM report, 20(46-47):4, 2009.

Liu, D., Wen, B., Liu, X., Wang, Z., and Huang, T. S. When image denoising meets high-level vision tasks: A deep learning approach. arXiv preprint arXiv:1706.04284, 2017.

Liu, Z., Luo, P., Wang, X., and Tang, X. Deep learning face attributes in the wild. In Proceedings of International Conference on Computer Vision (ICCV), December 2015.

Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.

Raj, A., Li, Y., and Bresler, Y. Gan-based projector for faster recovery with convergence guarantees in linear inverse problems. In Proceedings of the IEEE International Conference on Computer Vision, pp. 5602–5611, 2019.

Ravishankar, S. and Bresler, Y. Learning sparsifying trans- forms. IEEE Transactions on Signal Processing, 61(5): 1072–1086, 2012.

Rick Chang, J., Li, C.-L., Poczos, B., Vijaya Kumar, B., and Sankaranarayanan, A. C. One network to solve them all–solving linear inverse problems using deep projection models. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 5888–5897, 2017.

Sajjadi, M. S., Scholkopf, B., and Hirsch, M. Enhancenet: Single image super-resolution through automated texture synthesis. In Proceedings of the IEEE International Conference on Computer Vision, pp. 4491–4500, 2017.

Schlemper, J., Caballero, J., Hajnal, J. V., Price, A., and Rueckert, D. A deep cascade of convolutional neural

networks for mr image reconstruction. In International Conference on Information Processing in Medical Imaging, pp. 647–658. Springer, 2017.

Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., and Madry, A. Adversarially robust generalization requires more data. In Advances in Neural Information Processing Systems, pp. 5014–5026, 2018.

Sinha, A., Namkoong, H., and Duchi, J. Certifying some dis- tributional robustness with principled adversarial training. arXiv preprint arXiv:1710.10571, 2017.

Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.

Tram`er, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., and McDaniel, P. Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204, 2017.

Wang, H. and Yu, C.-N. A direct approach to robust deep learning using adversarial networks. arXiv preprint arXiv:1905.09591, 2019.

Wen, B., Ravishankar, S., and Bresler, Y. Structured over- complete sparsifying transform learning with convergence guarantees and applications. International Journal of Computer Vision, 114(2-3):137–167, 2015.

Wen, B., Ravishankar, S., Pfister, L., and Bresler, Y. Trans- form learning for magnetic resonance image reconstruction: From model-based learning to building neural networks. arXiv preprint arXiv:1903.11431, 2019.

Wong, E., Schmidt, F., Metzen, J. H., and Kolter, J. Z. Scaling provable adversarial defenses. In Advances in Neural Information Processing Systems, pp. 8400–8409, 2018.

Xiao, C., Li, B., Zhu, J.-Y., He, W., Liu, M., and Song, D. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610, 2018.

Xu, W., Evans, D., and Qi, Y. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155, 2017.

Yang, G., Yu, S., Dong, H., Slabaugh, G., Dragotti, P. L., Ye, X., Liu, F., Arridge, S., Keegan, J., Guo, Y., et al. Dagan: deep de-aliasing generative adversarial networks for fast compressed sensing mri reconstruction. IEEE transactions on medical imaging, 37(6):1310–1321, 2017.

Yang, J., Wright, J., Huang, T. S., and Ma, Y. Image super- resolution via sparse representation. IEEE transactions on image processing, 19(11):2861–2873, 2010.

Yao, H., Dai, F., Zhang, S., Zhang, Y., Tian, Q., and Xu, C. Dr2-net: Deep residual reconstruction network for image compressive sensing. Neurocomputing, 359:483–493, 2019.

Zhu, B., Liu, J. Z., Cauley, S. F., Rosen, B. R., and Rosen, M. S. Image reconstruction by domain-transform manifold learning. Nature, 555(7697):487, 2018.