Deep Adversarial Defense Against Multilevel-Lp Attacks

TL;DR

This paper proposes a computationally efficient multilevel _p defense method, EMRC, that enhances deep learning models' robustness against multiple _p-norm adversarial attacks by blending _1 and _ solutions.

Contribution

Introduces EMRC, a novel method blending _1 and _ adversarial models to defend against multiple _p attacks, improving robustness over traditional adversarial training.

Findings

EMRC outperforms AT-_, E-AT, and MSD in experiments.

Effective on datasets CIFAR-10 and CIFAR-100 with various architectures.

Provides better robustness against multiple _p attacks.

Abstract

Deep learning models have shown considerable vulnerability to adversarial attacks, particularly as attacker strategies become more sophisticated. While traditional adversarial training (AT) techniques offer some resilience, they often focus on defending against a single type of attack, e.g., the $\ell_\infty$-norm attack, which can fail for other types. This paper introduces a computationally efficient multilevel $\ell_p$ defense, called the Efficient Robust Mode Connectivity (EMRC) method, which aims to enhance a deep learning model's resilience against multiple $\ell_p$-norm attacks. Similar to analytical continuation approaches used in continuous optimization, the method blends two $p$-specific adversarially optimal models, the $\ell_1$- and $\ell_\infty$-norm AT solutions, to provide good adversarial robustness for a range of $p$. We present experiments demonstrating that our approach performs better on various attacks as compared to AT-$\ell_\infty$, E-AT, and MSD, for datasets/architectures including: CIFAR-10, CIFAR-100 / PreResNet110, WideResNet, ViT-Base.