Constant Random Perturbations Provide Adversarial Robustness with Minimal Effect on Accuracy

TL;DR

This paper introduces a simple, attack-independent method that enhances neural network robustness by augmenting training data with constant, neighborhood-based perturbations, achieving better accuracy and robustness with minimal accuracy loss.

Contribution

The paper presents a novel data augmentation technique using fixed neighborhood perturbations that improves adversarial robustness without adversarial training.

Findings

Improves standard accuracy compared to other defenses.

Increases robustness against various attacks.

Effective on MNIST, SVHN, and CIFAR-10 datasets.

Abstract

This paper proposes an attack-independent (non-adversarial training) technique for improving adversarial robustness of neural network models, with minimal loss of standard accuracy. We suggest creating a neighborhood around each training example, such that the label is kept constant for all inputs within that neighborhood. Unlike previous work that follows a similar principle, we apply this idea by extending the training set with multiple perturbations for each training example, drawn from within the neighborhood. These perturbations are model independent, and remain constant throughout the entire training process. We analyzed our method empirically on MNIST, SVHN, and CIFAR-10, under different attacks and conditions. Results suggest that the proposed approach improves standard accuracy over other defenses while having increased robustness compared to vanilla adversarial training.