Robustifying ℓ_∞ Adversarial Training to the Union of Perturbation Models
share
Classical adversarial training (AT) frameworks are designed to achieve high adversarial accuracy against a single attack type, typically ℓ_∞ norm-bounded perturbations. Recent extensions in AT have focused on defending against the union of multiple perturbations but this benefit is obtained at the expense of a significant (up to 10×) increase in training complexity over single-attack ℓ_∞ AT. In this work, we expand the capabilities of widely popular single-attack ℓ_∞ AT frameworks to provide robustness to the union of (ℓ_∞, ℓ_2, ℓ_1) perturbations while preserving their training efficiency. Our technique, referred to as Shaped Noise Augmented Processing (SNAP), exploits a well-established byproduct of single-attack AT frameworks – the reduction in the curvature of the decision boundary of networks. SNAP prepends a given deep net with a shaped noise augmentation layer whose distribution is learned along with network parameters using any standard single-attack AT. As a result, SNAP enhances adversarial accuracy of ResNet-18 on CIFAR-10 against the union of (ℓ_∞, ℓ_2, ℓ_1) perturbations by 14 single-attack ℓ_∞ AT frameworks, and, for the first time, establishes a benchmark for ResNet-50 and ResNet-101 on ImageNet.
READ FULL TEXT
