A Unified Framework for Adversarial Attack and Defense in Constrained Feature Space

TL;DR

This paper introduces a unified framework for generating feasible adversarial examples under domain constraints, applicable across multiple fields, and proposes a novel defense method that enhances model robustness.

Contribution

The paper presents a versatile framework for constrained adversarial attacks and introduces a new defense strategy using engineered non-convex constraints.

Findings

Achieves up to 100% success rate in generating feasible adversarial examples across four domains.

The proposed defense matches the effectiveness of adversarial retraining.

Framework provides new baselines and datasets for future research.

Abstract

The generation of feasible adversarial examples is necessary for properly assessing models that work in constrained feature space. However, it remains a challenging task to enforce constraints into attacks that were designed for computer vision. We propose a unified framework to generate feasible adversarial examples that satisfy given domain constraints. Our framework can handle both linear and non-linear constraints. We instantiate our framework into two algorithms: a gradient-based attack that introduces constraints in the loss function to maximize, and a multi-objective search algorithm that aims for misclassification, perturbation minimization, and constraint satisfaction. We show that our approach is effective in four different domains, with a success rate of up to 100%, where state-of-the-art attacks fail to generate a single feasible example. In addition to adversarial retraining, we propose to introduce engineered non-convex constraints to improve model adversarial robustness. We demonstrate that this new defense is as effective as adversarial retraining. Our framework forms the starting point for research on constrained adversarial attacks and provides relevant baselines and datasets that future research can exploit.