{
  "id": "2105.14710",
  "version": "v1",
  "published": "2021-05-31T05:18:42.000Z",
  "updated": "2021-05-31T05:18:42.000Z",
  "title": "Robustifying $\\ell_\\infty$ Adversarial Training to the Union of Perturbation Models",
  "authors": [
    "Ameya D. Patil",
    "Michael Tuttle",
    "Alexander G. Schwing",
    "Naresh R. Shanbhag"
  ],
  "categories": [
    "cs.LG",
    "stat.ML"
  ],
  "abstract": "Classical adversarial training (AT) frameworks are designed to achieve high adversarial accuracy against a single attack type, typically $\\ell_\\infty$ norm-bounded perturbations. Recent extensions in AT have focused on defending against the union of multiple perturbations but this benefit is obtained at the expense of a significant (up to $10\\times$) increase in training complexity over single-attack $\\ell_\\infty$ AT. In this work, we expand the capabilities of widely popular single-attack $\\ell_\\infty$ AT frameworks to provide robustness to the union of ($\\ell_\\infty, \\ell_2, \\ell_1$) perturbations while preserving their training efficiency. Our technique, referred to as Shaped Noise Augmented Processing (SNAP), exploits a well-established byproduct of single-attack AT frameworks -- the reduction in the curvature of the decision boundary of networks. SNAP prepends a given deep net with a shaped noise augmentation layer whose distribution is learned along with network parameters using any standard single-attack AT. As a result, SNAP enhances adversarial accuracy of ResNet-18 on CIFAR-10 against the union of ($\\ell_\\infty, \\ell_2, \\ell_1$) perturbations by 14%-to-20% for four state-of-the-art (SOTA) single-attack $\\ell_\\infty$ AT frameworks, and, for the first time, establishes a benchmark for ResNet-50 and ResNet-101 on ImageNet.",
  "revisions": [
    {
      "version": "v1",
      "updated": "2021-05-31T05:18:42.000Z"
    }
  ],
  "analyses": {
    "keywords": [
      "perturbation models",
      "adversarial training",
      "single-attack",
      "achieve high adversarial accuracy",
      "frameworks"
    ],
    "note": {
      "typesetting": "TeX",
      "pages": 0,
      "language": "en",
      "license": "arXiv",
      "status": "editable"
    }
  }
}