Joint Adversarial Training: Incorporating both Spatial and Pixel Attacks

TL;DR

This paper introduces a joint adversarial training approach that combines spatial and pixel-based attacks to enhance model robustness against diverse adversarial threats, outperforming existing methods.

Contribution

It proposes a novel method integrating spatial transformation and pixel attacks into a unified training framework, with an explicit spatial attack algorithm and demonstrated effectiveness.

Findings

Improved robustness against spatial and pixel attacks.

Effective integration of attack types enhances model resilience.

Validated on multiple benchmark datasets with superior results.

Abstract

Conventional adversarial training methods using attacks that manipulate the pixel value directly and individually, leading to models that are less robust in face of spatial transformation-based attacks. In this paper, we propose a joint adversarial training method that incorporates both spatial transformation-based and pixel-value based attacks for improving model robustness. We introduce a spatial transformation-based attack with an explicit notion of budget and develop an algorithm for spatial attack generation. We further integrate both pixel and spatial attacks into one generation model and show how to leverage the complementary strengths of each other in training for improving the overall model robustness. Extensive experimental results on different benchmark datasets compared with state-of-the-art methods verified the effectiveness of the proposed method.