Parameter-Saving Adversarial Training: Reinforcing Multi-Perturbation Robustness via Hypernetworks

TL;DR

This paper introduces PSAT, a hypernetwork-based adversarial training method that enhances robustness against multiple perturbations while significantly reducing model parameters, outperforming existing approaches.

Contribution

Proposes a novel multi-perturbation adversarial training framework using hypernetworks to improve robustness and parameter efficiency simultaneously.

Findings

Achieves state-of-the-art robustness against various attacks.

Saves approximately 80% of parameters on CIFAR-10 with ResNet-50.

Outperforms existing methods in robustness trade-offs.

Abstract

Adversarial training serves as one of the most popular and effective methods to defend against adversarial perturbations. However, most defense mechanisms only consider a single type of perturbation while various attack methods might be adopted to perform stronger adversarial attacks against the deployed model in real-world scenarios, e.g., $\ell_2$ or $\ell_\infty$. Defending against various attacks can be a challenging problem since multi-perturbation adversarial training and its variants only achieve suboptimal robustness trade-offs, due to the theoretical limit to multi-perturbation robustness for a single model. Besides, it is impractical to deploy large models in some storage-efficient scenarios. To settle down these drawbacks, in this paper we propose a novel multi-perturbation adversarial training framework, parameter-saving adversarial training (PSAT), to reinforce multi-perturbation robustness with an advantageous side effect of saving parameters, which leverages hypernetworks to train specialized models against a single perturbation and aggregate these specialized models to defend against multiple perturbations. Eventually, we extensively evaluate and compare our proposed method with state-of-the-art single/multi-perturbation robust methods against various latest attack methods on different datasets, showing the robustness superiority and parameter efficiency of our proposed method, e.g., for the CIFAR-10 dataset with ResNet-50 as the backbone, PSAT saves approximately 80\% of parameters with achieving the state-of-the-art robustness trade-off accuracy.