Adversarial Robustness Across Representation Spaces

TL;DR

This paper introduces a theoretically grounded method to train neural networks that are robust against adversarial perturbations across multiple representation spaces, including different basis transforms and norms, with proven guarantees.

Contribution

It presents a novel algorithm with formal guarantees for multi-space adversarial robustness, extending robustness beyond pixel space to other representations like DCT.

Findings

Effective robustness demonstrated on standard image classification datasets.

Guarantees hold for multiple $ ext{l}_p$ norm based attacks.

Algorithm outperforms existing methods in robustness metrics.

Abstract

Adversarial robustness corresponds to the susceptibility of deep neural networks to imperceptible perturbations made at test time. In the context of image tasks, many algorithms have been proposed to make neural networks robust to adversarial perturbations made to the input pixels. These perturbations are typically measured in an $\ell_p$ norm. However, robustness often holds only for the specific attack used for training. In this work we extend the above setting to consider the problem of training of deep neural networks that can be made simultaneously robust to perturbations applied in multiple natural representation spaces. For the case of image data, examples include the standard pixel representation as well as the representation in the discrete cosine transform~(DCT) basis. We design a theoretically sound algorithm with formal guarantees for the above problem. Furthermore, our guarantees also hold when the goal is to require robustness with respect to multiple $\ell_p$ norm based attacks. We then derive an efficient practical implementation and demonstrate the effectiveness of our approach on standard datasets for image classification.