A Useful Taxonomy for Adversarial Robustness of Neural Networks

TL;DR

This paper proposes a new taxonomy for adversarial robustness in neural networks, emphasizing feature space properties and challenging the assumed robustness-accuracy trade-off, offering fresh insights and research directions.

Contribution

It introduces a novel taxonomy that redefines defense strategies and questions the universality of the robustness-accuracy trade-off in adversarial defenses.

Findings

Increasing intra-class compactness enhances robustness.

Removing non-robust features improves adversarial resilience.

The robustness-accuracy trade-off may not be universal.

Abstract

Adversarial attacks and defenses are currently active areas of research for the deep learning community. A recent review paper divided the defense approaches into three categories; gradient masking, robust optimization, and adversarial example detection. We divide gradient masking and robust optimization differently: (1) increasing intra-class compactness and inter-class separation of the feature vectors improves adversarial robustness, and (2) marginalization or removal of non-robust image features also improves adversarial robustness. By reframing these topics differently, we provide a fresh perspective that provides insight into the underlying factors that enable training more robust networks and can help inspire novel solutions. In addition, there are several papers in the literature of adversarial defenses that claim there is a cost for adversarial robustness, or a trade-off between robustness and accuracy but, under this proposed taxonomy, we hypothesis that this is not universal. We follow up on our taxonomy with several challenges to the deep learning research community that builds on the connections and insights in this paper.