Robustness-via-Synthesis: Robust Training with Generative Adversarial Perturbations

TL;DR

This paper introduces a novel robust training method that synthesizes diverse adversarial perturbations using a generator network, improving generalization and robustness against various attacks in deep learning models.

Contribution

It proposes a generator-based adversarial synthesis approach that does not rely on gradient-based attacks, enhancing diversity and generalization in adversarial training.

Findings

Achieves comparable robustness to existing methods on CIFAR datasets

Generalizes well to natural samples beyond adversarial examples

Does not require gradient information for attack synthesis

Abstract

Upon the discovery of adversarial attacks, robust models have become obligatory for deep learning-based systems. Adversarial training with first-order attacks has been one of the most effective defenses against adversarial perturbations to this day. The majority of the adversarial training approaches focus on iteratively perturbing each pixel with the gradient of the loss function with respect to the input image. However, the adversarial training with gradient-based attacks lacks diversity and does not generalize well to natural images and various attacks. This study presents a robust training algorithm where the adversarial perturbations are automatically synthesized from a random vector using a generator network. The classifier is trained with cross-entropy loss regularized with the optimal transport distance between the representations of the natural and synthesized adversarial samples. Unlike prevailing generative defenses, the proposed one-step attack generation framework synthesizes diverse perturbations without utilizing gradient of the classifier's loss. Experimental results show that the proposed approach attains comparable robustness with various gradient-based and generative robust training techniques on CIFAR10, CIFAR100, and SVHN datasets. In addition, compared to the baselines, the proposed robust training framework generalizes well to the natural samples. Code and trained models will be made publicly available.