Adversarial Robustness Against the Union of Multiple Perturbation Models

TL;DR

This paper introduces a generalized attack method that optimizes robustness against multiple adversarial perturbation models simultaneously, leading to improved defense performance on standard datasets.

Contribution

It proposes a new PGD-based approach that considers the worst-case over multiple perturbation models, enabling training of models robust against several attack types at once.

Findings

Achieves 47.0% adversarial accuracy on CIFAR10 against combined perturbations.

Outperforms previous methods with 40.6% accuracy on the union of attack models.

Effectively balances robustness across different perturbation types.

Abstract

Owing to the susceptibility of deep learning systems to adversarial attacks, there has been a great deal of work in developing (both empirically and certifiably) robust classifiers. While most work has defended against a single type of attack, recent work has looked at defending against multiple perturbation models using simple aggregations of multiple attacks. However, these methods can be difficult to tune, and can easily result in imbalanced degrees of robustness to individual perturbation models, resulting in a sub-optimal worst-case loss over the union. In this work, we develop a natural generalization of the standard PGD-based procedure to incorporate multiple perturbation models into a single attack, by taking the worst-case over all steepest descent directions. This approach has the advantage of directly converging upon a trade-off between different perturbation models which minimizes the worst-case performance over the union. With this approach, we are able to train standard architectures which are simultaneously robust against $\ell_\infty$, $\ell_2$, and $\ell_1$ attacks, outperforming past approaches on the MNIST and CIFAR10 datasets and achieving adversarial accuracy of 47.0% against the union of ($\ell_\infty$, $\ell_2$, $\ell_1$) perturbations with radius = (0.03, 0.5, 12) on the latter, improving upon previous approaches which achieve 40.6% accuracy.