Continual Adversarial Defense

TL;DR

This paper introduces the Continual Adversarial Defense (CAD) framework, which adaptively and efficiently defends visual classifiers against evolving adversarial attacks by online learning and continual adaptation techniques.

Contribution

The paper presents the first continual defense framework that adapts to new attacks online, integrating continual, few-shot, and ensemble learning principles for robust adversarial defense.

Findings

CAD outperforms baseline methods against multi-stage attacks.

Defense performance saturates with diverse attacks, indicating robustness.

The approach maintains high accuracy on both clean and adversarial data.

Abstract

In response to the rapidly evolving nature of adversarial attacks against visual classifiers, numerous defenses have been proposed to generalize against as many known attacks as possible. However, designing a defense method that generalizes to all types of attacks is unrealistic, as the environment in which the defense system operates is dynamic. Over time, new attacks inevitably emerge that exploit the vulnerabilities of existing defenses and bypass them. Therefore, we propose a continual defense strategy under a practical threat model and, for the first time, introduce the Continual Adversarial Defense (CAD) framework. CAD continuously collects adversarial data online and adapts to evolving attack sequences, while adhering to four practical principles: (1) continual adaptation to new attacks without catastrophic forgetting, (2) few-shot adaptation, (3) memory-efficient adaptation, and (4) high classification accuracy on both clean and adversarial data. We explore and integrate cutting-edge techniques from continual learning, few-shot learning, and ensemble learning to fulfill the principles. Extensive experiments validate the effectiveness of our approach against multi-stage adversarial attacks and demonstrate significant improvements over a wide range of baseline methods. We further observe that CAD's defense performance tends to saturate as the number of attacks increases, indicating its potential as a persistent defense once adapted to a sufficiently diverse set of attacks. Our research sheds light on a brand-new paradigm for continual defense adaptation against dynamic and evolving attacks.