Universal Adversarial Training with Class-Wise Perturbations

TL;DR

This paper introduces a novel class-wise universal adversarial training method that enhances CNN robustness by addressing class imbalance in universal perturbations, leading to improved accuracy and robustness.

Contribution

It proposes using class-wise UAPs during adversarial training, improving upon state-of-the-art universal adversarial training methods.

Findings

Enhanced robustness against universal attacks across multiple datasets.

Improved clean accuracy compared to previous methods.

Demonstrated effectiveness of class-wise perturbations in adversarial training.

Abstract

Despite their overwhelming success on a wide range of applications, convolutional neural networks (CNNs) are widely recognized to be vulnerable to adversarial examples. This intriguing phenomenon led to a competition between adversarial attacks and defense techniques. So far, adversarial training is the most widely used method for defending against adversarial attacks. It has also been extended to defend against universal adversarial perturbations (UAPs). The SOTA universal adversarial training (UAT) method optimizes a single perturbation for all training samples in the mini-batch. In this work, we find that a UAP does not attack all classes equally. Inspired by this observation, we identify it as the source of the model having unbalanced robustness. To this end, we improve the SOTA UAT by proposing to utilize class-wise UAPs during adversarial training. On multiple benchmark datasets, our class-wise UAT leads superior performance for both clean accuracy and adversarial robustness against universal attack.