On the Effect of Adversarial Training Against Invariance-based Adversarial Examples

TL;DR

This paper investigates the impact of adversarial training against invariance-based adversarial examples on CNNs, revealing that simultaneous training with both types enhances robustness and correcting label determination issues in prior methods.

Contribution

It demonstrates that simultaneous adversarial training with both perturbation-based and invariance-based examples improves robustness and addresses label correctness in invariance-based example generation.

Findings

Simultaneous training yields higher robustness against both adversarial types.

Correcting label determination improves the effectiveness of invariance-based adversarial examples.

Adversarial training with both types is more effective than sequential training.

Abstract

Adversarial examples are carefully crafted attack points that are supposed to fool machine learning classifiers. In the last years, the field of adversarial machine learning, especially the study of perturbation-based adversarial examples, in which a perturbation that is not perceptible for humans is added to the images, has been studied extensively. Adversarial training can be used to achieve robustness against such inputs. Another type of adversarial examples are invariance-based adversarial examples, where the images are semantically modified such that the predicted class of the model does not change, but the class that is determined by humans does. How to ensure robustness against this type of adversarial examples has not been explored yet. This work addresses the impact of adversarial training with invariance-based adversarial examples on a convolutional neural network (CNN). We show that when adversarial training with invariance-based and perturbation-based adversarial examples is applied, it should be conducted simultaneously and not consecutively. This procedure can achieve relatively high robustness against both types of adversarial examples. Additionally, we find that the algorithm used for generating invariance-based adversarial examples in prior work does not correctly determine the labels and therefore we use human-determined labels.