LADDER: Latent Boundary-guided Adversarial Training

TL;DR

LADDER introduces a novel adversarial training method that generates high-quality adversarial examples in the latent space guided by decision boundary normals, improving robustness without sacrificing standard accuracy.

Contribution

The paper proposes LADDER, a new adversarial training framework that creates boundary-guided adversarial examples in the latent space, enhancing robustness and accuracy trade-offs.

Findings

LADDER outperforms baseline models on multiple datasets.

It achieves a better balance between accuracy and robustness.

Generated adversarial examples are high-quality and boundary-aware.

Abstract

Deep Neural Networks (DNNs) have recently achieved great success in many classification tasks. Unfortunately, they are vulnerable to adversarial attacks that generate adversarial examples with a small perturbation to fool DNN models, especially in model sharing scenarios. Adversarial training is proved to be the most effective strategy that injects adversarial examples into model training to improve the robustness of DNN models against adversarial attacks. However, adversarial training based on the existing adversarial examples fails to generalize well to standard, unperturbed test data. To achieve a better trade-off between standard accuracy and adversarial robustness, we propose a novel adversarial training framework called LAtent bounDary-guided aDvErsarial tRaining (LADDER) that adversarially trains DNN models on latent boundary-guided adversarial examples. As opposed to most of the existing methods that generate adversarial examples in the input space, LADDER generates a myriad of high-quality adversarial examples through adding perturbations to latent features. The perturbations are made along the normal of the decision boundary constructed by an SVM with an attention mechanism. We analyze the merits of our generated boundary-guided adversarial examples from a boundary field perspective and visualization view. Extensive experiments and detailed analysis on MNIST, SVHN, CelebA, and CIFAR-10 validate the effectiveness of LADDER in achieving a better trade-off between standard accuracy and adversarial robustness as compared with vanilla DNNs and competitive baselines.