Interpolated Joint Space Adversarial Training for Robust and Generalizable Defenses

TL;DR

This paper introduces Interpolated Joint Space Adversarial Training (IJSAT), a novel method leveraging manifold information and a new threat model to improve adversarial robustness, generalization, and accuracy across multiple datasets.

Contribution

It proposes a new threat model called Joint Space Threat Model (JSTM), develops novel attacks and defenses under this model, and introduces the Robust Mixup strategy to enhance robustness and prevent overfitting.

Findings

IJSAT improves robustness and accuracy on CIFAR-10/100, OM-ImageNet, and CIFAR-10-C datasets.

Robust Mixup enhances model robustness without sacrificing standard accuracy.

IJSAT can be integrated with existing adversarial training methods for better performance.

Abstract

Adversarial training (AT) is considered to be one of the most reliable defenses against adversarial attacks. However, models trained with AT sacrifice standard accuracy and do not generalize well to novel attacks. Recent works show generalization improvement with adversarial samples under novel threat models such as on-manifold threat model or neural perceptual threat model. However, the former requires exact manifold information while the latter requires algorithm relaxation. Motivated by these considerations, we exploit the underlying manifold information with Normalizing Flow, ensuring that exact manifold assumption holds. Moreover, we propose a novel threat model called Joint Space Threat Model (JSTM), which can serve as a special case of the neural perceptual threat model that does not require additional relaxation to craft the corresponding adversarial attacks. Under JSTM, we develop novel adversarial attacks and defenses. The mixup strategy improves the standard accuracy of neural networks but sacrifices robustness when combined with AT. To tackle this issue, we propose the Robust Mixup strategy in which we maximize the adversity of the interpolated images and gain robustness and prevent overfitting. Our experiments show that Interpolated Joint Space Adversarial Training (IJSAT) achieves good performance in standard accuracy, robustness, and generalization in CIFAR-10/100, OM-ImageNet, and CIFAR-10-C datasets. IJSAT is also flexible and can be used as a data augmentation method to improve standard accuracy and combine with many existing AT approaches to improve robustness.