Splitting the Difference on Adversarial Training

TL;DR

This paper introduces a novel adversarial training method that splits each class into 'clean' and 'adversarial' subclasses, simplifying decision boundaries and achieving high robustness without sacrificing natural accuracy.

Contribution

The work proposes a new approach to adversarial training by treating perturbed examples as separate classes, improving robustness while maintaining near-optimal natural accuracy.

Findings

Achieves 95.01% natural accuracy on CIFAR-10.

Provides theoretical justification for the class-splitting approach.

Demonstrates robustness across multiple tasks.

Abstract

The existence of adversarial examples points to a basic weakness of deep neural networks. One of the most effective defenses against such examples, adversarial training, entails training models with some degree of robustness, usually at the expense of a degraded natural accuracy. Most adversarial training methods aim to learn a model that finds, for each class, a common decision boundary encompassing both the clean and perturbed examples. In this work, we take a fundamentally different approach by treating the perturbed examples of each class as a separate class to be learned, effectively splitting each class into two classes: "clean" and "adversarial." This split doubles the number of classes to be learned, but at the same time considerably simplifies the decision boundaries. We provide a theoretical plausibility argument that sheds some light on the conditions under which our approach can be expected to be beneficial. Likewise, we empirically demonstrate that our method learns robust models while attaining optimal or near-optimal natural accuracy, e.g., on CIFAR-10 we obtain near-optimal natural accuracy of $95.01\%$ alongside significant robustness across multiple tasks. The ability to achieve such near-optimal natural accuracy, while maintaining a significant level of robustness, makes our method applicable to real-world applications where natural accuracy is at a premium. As a whole, our main contribution is a general method that confers a significant level of robustness upon classifiers with only minor or negligible degradation of their natural accuracy.