Semantics-Preserving Adversarial Training

09/23/2020

∙

Adversarial training is a defense technique that improves adversarial robustness of a deep neural network (DNN) by including adversarial examples in the training data. In this paper, we identify an overlooked problem of adversarial training in that these adversarial examples often have different semantics than the original data, introducing unintended biases into the model. We hypothesize that such non-semantics-preserving (and resultingly ambiguous) adversarial data harm the robustness of the target models. To mitigate such unintended semantic changes of adversarial examples, we propose semantics-preserving adversarial training (SPAT) which encourages perturbation on the pixels that are shared among all classes when generating adversarial examples in the training stage. Experiment results show that SPAT improves adversarial robustness and achieves state-of-the-art results in CIFAR-10 and CIFAR-100.

READ FULL TEXT

Semantics-Preserving Adversarial Training

On Norm-Agnostic Robustness of Adversarial Training

Masking and Mixing Adversarial Training

Dropping Pixels for Adversarial Robustness

Curriculum Adversarial Training

Constructing Semantics-Aware Adversarial Examples with Probabilistic Perspective

Releasing Inequality Phenomena in L_∞-Adversarial Training via Input Gradient Distillation

Adversarial Over-Sensitivity and Over-Stability Strategies for Dialogue Models

Semantics-Preserving Adversarial Training

Related Research

On Norm-Agnostic Robustness of Adversarial Training

Masking and Mixing Adversarial Training

Dropping Pixels for Adversarial Robustness

Curriculum Adversarial Training

Constructing Semantics-Aware Adversarial Examples with Probabilistic Perspective

Releasing Inequality Phenomena in L_∞-Adversarial Training via Input Gradient Distillation

Adversarial Over-Sensitivity and Over-Stability Strategies for Dialogue Models