Defending Against Unforeseen Failure Modes with Latent Adversarial Training

TL;DR

Latent adversarial training (LAT) enhances AI robustness by defending against unforeseen failure modes without prior knowledge of specific attacks, improving performance on both clean and adversarial data across multiple tasks.

Contribution

This work introduces LAT as a novel defense mechanism that leverages latent representations to protect against unknown vulnerabilities without requiring attack-specific data.

Findings

LAT improves robustness to unseen attacks.

LAT enhances performance on clean data.

LAT effectively defends against backdoors and novel adversarial attacks.

Abstract

Despite extensive diagnostics and debugging by developers, AI systems sometimes exhibit harmful unintended behaviors. Finding and fixing these is challenging because the attack surface is so large -- it is not tractable to exhaustively search for inputs that may elicit harmful behaviors. Red-teaming and adversarial training (AT) are commonly used to improve robustness, however, they empirically struggle to fix failure modes that differ from the attacks used during training. In this work, we utilize latent adversarial training (LAT) to defend against vulnerabilities without leveraging knowledge of what they are or using inputs that elicit them. LAT makes use of the compressed, abstract, and structured latent representations of concepts that the network actually uses for prediction. Here, we use it to defend against failure modes without examples that elicit them. Specifically, we use LAT to remove backdoors and defend against held-out classes of adversarial attacks. We show in image classification, text classification, and text generation tasks that LAT usually improves both robustness to novel attacks and performance on clean data relative to AT. This suggests that LAT can be a promising tool for defending against failure modes that are not explicitly identified by developers.