Harnessing the Vulnerability of Latent Layers in Adversarially Trained Models

TL;DR

This paper investigates the vulnerability of latent layers in adversarially trained neural networks, revealing their susceptibility to attacks and proposing a new training method to enhance robustness at the feature level.

Contribution

It introduces Latent Adversarial Training (LAT), a novel fine-tuning approach targeting latent layer robustness, and Latent Attack (LA), a new adversarial example construction algorithm.

Findings

LAT improves adversarial accuracy against PGD attacks

Latent layers are more vulnerable than input layers in robust models

Achieves state-of-the-art results on MNIST, CIFAR-10, CIFAR-100 datasets

Abstract

Neural networks are vulnerable to adversarial attacks -- small visually imperceptible crafted noise which when added to the input drastically changes the output. The most effective method of defending against these adversarial attacks is to use the methodology of adversarial training. We analyze the adversarially trained robust models to study their vulnerability against adversarial attacks at the level of the latent layers. Our analysis reveals that contrary to the input layer which is robust to adversarial attack, the latent layer of these robust models are highly susceptible to adversarial perturbations of small magnitude. Leveraging this information, we introduce a new technique Latent Adversarial Training (LAT) which comprises of fine-tuning the adversarially trained models to ensure the robustness at the feature layers. We also propose Latent Attack (LA), a novel algorithm for construction of adversarial examples. LAT results in minor improvement in test accuracy and leads to a state-of-the-art adversarial accuracy against the universal first-order adversarial PGD attack which is shown for the MNIST, CIFAR-10, CIFAR-100 datasets.