Visual Prompting for Adversarial Robustness

TL;DR

This paper introduces Class-wise Adversarial Visual Prompting (C-AVP), a novel method that enhances adversarial robustness of pre-trained models using class-specific prompts, achieving significant accuracy improvements and faster inference.

Contribution

It proposes C-AVP, a new visual prompting technique that improves adversarial robustness by generating class-wise prompts and optimizing their interactions.

Findings

C-AVP outperforms vanilla VP with 2.1X accuracy gain.

C-AVP achieves 2X robust accuracy improvement.

C-AVP provides 42X faster inference compared to classical defenses.

Abstract

In this work, we leverage visual prompting (VP) to improve adversarial robustness of a fixed, pre-trained model at testing time. Compared to conventional adversarial defenses, VP allows us to design universal (i.e., data-agnostic) input prompting templates, which have plug-and-play capabilities at testing time to achieve desired model performance without introducing much computation overhead. Although VP has been successfully applied to improving model generalization, it remains elusive whether and how it can be used to defend against adversarial attacks. We investigate this problem and show that the vanilla VP approach is not effective in adversarial defense since a universal input prompt lacks the capacity for robust learning against sample-specific adversarial perturbations. To circumvent it, we propose a new VP method, termed Class-wise Adversarial Visual Prompting (C-AVP), to generate class-wise visual prompts so as to not only leverage the strengths of ensemble prompts but also optimize their interrelations to improve model robustness. Our experiments show that C-AVP outperforms the conventional VP method, with 2.1X standard accuracy gain and 2X robust accuracy gain. Compared to classical test-time defenses, C-AVP also yields a 42X inference time speedup.