ML Security PapersANROT-HELANet: Adverserially and Naturally Robust Attention-Based Aggregation Network via The Hellinger Distance for Few-Shot Classification
Gao Yu Lee 1,2, Tanmoy Dam 1, Md Meftahul Ferdaus 3, Daniel Puiu Poenar 1, Vu N.Duong 1
Published on arXiv
2509.11220
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves resilience to FGSM adversarial perturbations up to ε=0.30 while improving 5-shot miniImageNet accuracy by 1.40% over KL-divergence-based FSL baselines
ANROT-HELANet
Novel technique introduced
Few-Shot Learning (FSL), which involves learning to generalize using only a few data samples, has demonstrated promising and superior performances to ordinary CNN methods. While Bayesian based estimation approaches using Kullback-Leibler (KL) divergence have shown improvements, they remain vulnerable to adversarial attacks and natural noises. We introduce ANROT-HELANet, an Adversarially and Naturally RObusT Hellinger Aggregation Network that significantly advances the state-of-the-art in FSL robustness and performance. Our approach implements an adversarially and naturally robust Hellinger distance-based feature class aggregation scheme, demonstrating resilience to adversarial perturbations up to $ε=0.30$ and Gaussian noise up to $σ=0.30$. The network achieves substantial improvements across benchmark datasets, including gains of 1.20\% and 1.40\% for 1-shot and 5-shot scenarios on miniImageNet respectively. We introduce a novel Hellinger Similarity contrastive loss function that generalizes cosine similarity contrastive loss for variational few-shot inference scenarios. Our approach also achieves superior image reconstruction quality with a FID score of 2.75, outperforming traditional VAE (3.43) and WAE (3.38) approaches. Extensive experiments conducted on four few-shot benchmarked datasets verify that ANROT-HELANet's combination of Hellinger distance-based feature aggregation, attention mechanisms, and our novel loss function establishes new state-of-the-art performance while maintaining robustness against both adversarial and natural perturbations. Our code repository will be available at https://github.com/GreedYLearner1146/ANROT-HELANet/tree/main.
Key Contributions
- Hellinger distance-based feature class aggregation scheme that achieves resilience to adversarial perturbations up to ε=0.30 and Gaussian noise up to σ=0.30 in few-shot classification
- Novel Hellinger Similarity (HeSim) contrastive loss function that generalizes cosine similarity contrastive loss for variational few-shot inference
- State-of-the-art FSL accuracy improvements (1.20%/1.40% on 1-shot/5-shot miniImageNet) alongside a FID score of 2.75, outperforming VAE and WAE baselines
🛡️ Threat Analysis
The paper's central design goal is resilience to adversarial perturbations (tested with FGSM up to ε=0.30) at inference time; the Hellinger distance aggregation scheme serves as the defense mechanism replacing KL-divergence-based methods that are shown to be vulnerable to adversarial examples.