Towards Model-Agnostic Adversarial Defenses using Adversarially Trained Autoencoders

TL;DR

This paper introduces AAA, a model-agnostic adversarial defense using autoencoders that enhances robustness across multiple classifiers and datasets without retraining the classifiers.

Contribution

It proposes AAA, the first model-agnostic adversarial defense method that protects multiple classifiers simultaneously using a single autoencoder.

Findings

Achieves comparable or better adversarial robustness than traditional adversarial training.

Improves robustness of unseen classifiers by at least 45% on MNIST and Fashion MNIST.

Enhances natural image robustness, indicating true adversarial defense effectiveness.

Abstract

Adversarial machine learning is a well-studied field of research where an adversary causes predictable errors in a machine learning algorithm through precise manipulation of the input. Numerous techniques have been proposed to harden machine learning algorithms and mitigate the effect of adversarial attacks. Of these techniques, adversarial training, which augments the training data with adversarial samples, has proven to be an effective defense with respect to a certain class of attacks. However, adversarial training is computationally expensive and its improvements are limited to a single model. In this work, we take a first step toward creating a model-agnostic adversarial defense. We propose Adversarially-Trained Autoencoder Augmentation (AAA), the first model-agnostic adversarial defense that is robust against certain adaptive adversaries. We show that AAA allows us to achieve a partially model-agnostic defense by training a single autoencoder to protect multiple pre-trained classifiers; achieving adversarial performance on par or better than adversarial training without modifying the classifiers. Furthermore, we demonstrate that AAA can be used to create a fully model-agnostic defense for MNIST and Fashion MNIST datasets by improving the adversarial performance of a never before seen pre-trained classifier by at least 45% with no additional training. Finally, using a natural image corruption dataset, we show that our approach improves robustness to naturally corrupted images,which has been identified as strongly indicative of true adversarial robustness.