Improved Image Wasserstein Attacks and Defenses
share
Robustness against image perturbations bounded by a ℓ_p ball have been well-studied in recent literature. Perturbations in the real-world, however, rarely exhibit the pixel independence that ℓ_p threat models assume. A recently proposed Wasserstein distance-bounded threat model is a promising alternative that limits the perturbation to pixel mass movements. We point out and rectify flaws in previous definition of the Wasserstein threat model and explore stronger attacks and defenses under our better-defined framework. Lastly, we discuss the inability of current Wasserstein-robust models in defending against perturbations seen in the real world. Our code and trained models are available at https://github.com/edwardjhu/improved_wasserstein .
READ FULL TEXT
