Adversarial Learning with Cost-Sensitive Classes

TL;DR

This paper introduces a cost-sensitive adversarial learning framework that enhances the robustness of protected classes against adversarial attacks, revealing a Min-Max property in neural network training and demonstrating improved accuracy under attack.

Contribution

It combines cost-sensitive classification with adversarial learning and uncovers a Min-Max property, leading to a new defense model that improves robustness of protected classes.

Findings

The Min-Max property involves most parameters approaching zero while a few grow larger.

The proposed model outperforms standard models in protected class accuracy under attack.

The model's overall accuracy is comparable to existing models when no attack occurs.

Abstract

It is necessary to improve the performance of some special classes or to particularly protect them from attacks in adversarial learning. This paper proposes a framework combining cost-sensitive classification and adversarial learning together to train a model that can distinguish between protected and unprotected classes, such that the protected classes are less vulnerable to adversarial examples. We find in this framework an interesting phenomenon during the training of deep neural networks, called Min-Max property, that is, the absolute values of most parameters in the convolutional layer approach zero while the absolute values of a few parameters are significantly larger becoming bigger. Based on this Min-Max property which is formulated and analyzed in a view of random distribution, we further build a new defense model against adversarial examples for adversarial robustness improvement. An advantage of the built model is that it performs better than the standard one and can combine with adversarial training to achieve an improved performance. It is experimentally confirmed that, regarding the average accuracy of all classes, our model is almost as same as the existing models when an attack does not occur and is better than the existing models when an attack occurs. Specifically, regarding the accuracy of protected classes, the proposed model is much better than the existing models when an attack occurs.