Language-Driven Anchors for Zero-Shot Adversarial Robustness

TL;DR

This paper introduces LAAT, a novel zero-shot adversarial training method leveraging large vision-language models like CLIP, which improves robustness of DNNs to adversarial attacks on unseen categories by using semantic text anchors.

Contribution

LAAT is the first approach to incorporate language-driven anchors for zero-shot adversarial robustness, addressing issues of high similarity in text encoders with a new expansion and alignment loss.

Findings

LAAT significantly outperforms existing methods in zero-shot adversarial robustness.

The proposed expansion and alignment techniques effectively mitigate high cosine similarity issues.

Large-scale multimodal models can enhance adversarial robustness without labeled data during training.

Abstract

Deep Neural Networks (DNNs) are known to be susceptible to adversarial attacks. Previous researches mainly focus on improving adversarial robustness in the fully supervised setting, leaving the challenging domain of zero-shot adversarial robustness an open question. In this work, we investigate this domain by leveraging the recent advances in large vision-language models, such as CLIP, to introduce zero-shot adversarial robustness to DNNs. We propose LAAT, a Language-driven, Anchor-based Adversarial Training strategy. LAAT utilizes the features of a text encoder for each category as fixed anchors (normalized feature embeddings) for each category, which are then employed for adversarial training. By leveraging the semantic consistency of the text encoders, LAAT aims to enhance the adversarial robustness of the image model on novel categories. However, naively using text encoders leads to poor results. Through analysis, we identified the issue to be the high cosine similarity between text encoders. We then design an expansion algorithm and an alignment cross-entropy loss to alleviate the problem. Our experimental results demonstrated that LAAT significantly improves zero-shot adversarial robustness over state-of-the-art methods. LAAT has the potential to enhance adversarial robustness by large-scale multimodal models, especially when labeled data is unavailable during training.