Adversarial Training and Robustness for Multiple Perturbations (1904.13000v2)

Abstract: Defenses against adversarial examples, such as adversarial training, are typically tailored to a single perturbation type (e.g., small $\ell_\infty$-noise). For other perturbations, these defenses offer no guarantees and, at times, even increase the model's vulnerability. Our aim is to understand the reasons underlying this robustness trade-off, and to train models that are simultaneously robust to multiple perturbation types. We prove that a trade-off in robustness to different types of $\ell_p$-bounded and spatial perturbations must exist in a natural and simple statistical setting. We corroborate our formal analysis by demonstrating similar robustness trade-offs on MNIST and CIFAR10. Building upon new multi-perturbation adversarial training schemes, and a novel efficient attack for finding $\ell_1$-bounded adversarial examples, we show that no model trained against multiple attacks achieves robustness competitive with that of models trained on each attack individually. In particular, we uncover a pernicious gradient-masking phenomenon on MNIST, which causes adversarial training with first-order $\ell_\infty, \ell_1$ and $\ell_2$ adversaries to achieve merely $50\%$ accuracy. Our results question the viability and computational scalability of extending adversarial robustness, and adversarial training, to multiple perturbation types.

Overview of Adversarial Training and Robustness for Multiple Perturbations

This paper presents a comprehensive analysis of adversarial robustness, particularly focusing on training models that exhibit robustness across multiple perturbation types. Traditional defenses against adversarial examples, such as adversarial training, are typically constrained to handle a singular perturbation type, like small $\ell_\infty$-noise, which limits their effectiveness against other perturbations and sometimes increases vulnerability to those perturbations. This paper seeks to elucidate the causes behind this robustness trade-off and introduces models capable of resisting multiple perturbation types concurrently.

Key Contributions and Findings

1. Robustness Trade-offs: The paper proves that a trade-off exists in robustness to different types of $\ell_p$-bounded and spatial perturbations within a straightforward statistical framework. This is substantiated by empirical verification using datasets such as MNIST and CIFAR10, where similar robustness trade-offs were observed. Specifically, the paper highlights that adversarial training involving first-order $\ell_\infty$, $\ell_1$, and $\ell_2$ attacks on MNIST results in only 50% robust accuracy due to factors like gradient masking.
2. Multi-Perturbation Adversarial Training Schemes: New schemes for adversarial training incorporating multiple perturbation types are proposed alongside an efficient attack for the $\ell_1$-norm. Despite training models against multiple attacks, these models fail to reach the robustness seen in models trained against single attacks.
3. Empirical and Theoretical Insights: Experiments utilizing MNIST and CIFAR10 highlight the challenges of achieving multi-perturbation robustness. The models developed display a noticeable decline in robust accuracy when compared to those trained on individual perturbations, underscoring the inherent robustness trade-offs.
4. Affine Attacks: The paper proposes affine attacks that interpolate linearly between perturbation types, further degrading the accuracy of adversarially trained models. Even for simple datasets like MNIST, achieving robustness against these affine combinations proves challenging, raising questions about extending current defensive strategies to more complex scenarios.

Practical and Theoretical Implications

From a practical perspective, the findings stress the need for new adversarial training methodologies or defenses that can efficiently handle multiple perturbation types. The implications are significant for applications requiring robust AI systems, such as in security-sensitive environments. Theoretically, this research accentuates the complexity of balancing robustness across various perturbation types and suggests an inherent limitation when dealing with compound adversaries. The paper’s proposed model offers a foundation for further exploring advanced adversarial defenses and serves as a caution for overestimating the capabilities of current strategies.

Future Directions

The complexities unveiled by the work suggest several intriguing avenues for future research:

• Gradient-Free Training Techniques: The paper notes the inadequacies of gradient-based methods in adversarial training when faced with multiple perturbations. Developing more effective gradient-free adversarial training procedures may offer paths forward.
• Scalable Certified Defenses: Extending certified defenses that offer provable guarantees to handle multiple perturbation types, albeit challenging, could provide more reliable robustness measures.
• Evaluation on More Complex Datasets: While MNIST and CIFAR10 offer insight, evaluating these methods on larger and more diverse datasets could reveal additional insights and challenges associated with multi-perturbation adversarial robustness.

This paper stands as a critical examination of current adversarial training practices and highlights the intrinsic trade-offs that emerge when attempting to defend against diverse adversarial attacks.