Adversarial Robustness against Multiple and Single $l_p$-Threat Models via Quick Fine-Tuning of Robust Classifiers

TL;DR

This paper introduces a fast and efficient adversarial training method called E-AT that enhances robustness against multiple $l_p$-threat models, achieving state-of-the-art results on CIFAR-10 and ImageNet with minimal training epochs.

Contribution

The paper proposes E-AT, a novel geometric-based adversarial training method that significantly reduces training time for multi-norm robustness and enables quick fine-tuning across different threat models.

Findings

E-AT costs up to three times less than existing methods.

A single epoch of E-AT suffices for ImageNet models to gain multi-norm robustness.

Achieved over 51% multi-norm robustness on CIFAR-10 and improved $l_1$-robustness via fine-tuning.

Abstract

A major drawback of adversarially robust models, in particular for large scale datasets like ImageNet, is the extremely long training time compared to standard ones. Moreover, models should be robust not only to one $l_p$-threat model but ideally to all of them. In this paper we propose Extreme norm Adversarial Training (E-AT) for multiple-norm robustness which is based on geometric properties of $l_p$-balls. E-AT costs up to three times less than other adversarial training methods for multiple-norm robustness. Using E-AT we show that for ImageNet a single epoch and for CIFAR-10 three epochs are sufficient to turn any $l_p$-robust model into a multiple-norm robust model. In this way we get the first multiple-norm robust model for ImageNet and boost the state-of-the-art for multiple-norm robustness to more than $51\%$ on CIFAR-10. Finally, we study the general transfer via fine-tuning of adversarial robustness between different individual $l_p$-threat models and improve the previous SOTA $l_1$-robustness on both CIFAR-10 and ImageNet. Extensive experiments show that our scheme works across datasets and architectures including vision transformers.