TRIX- Trading Adversarial Fairness via Mixed Adversarial Training

TL;DR

TRIX introduces a class-aware adversarial training method that adaptively applies different attack strengths to strong and weak classes, significantly improving fairness and robustness in image classification.

Contribution

The paper proposes TRIX, a novel adversarial training framework that dynamically adjusts attack strategies per class to enhance fairness and robustness against adversarial attacks.

Findings

Improves worst-case class accuracy on clean and adversarial data.

Reduces inter-class robustness disparities.

Maintains overall accuracy while enhancing fairness.

Abstract

Adversarial Training (AT) is a widely adopted defense against adversarial examples. However, existing approaches typically apply a uniform training objective across all classes, overlooking disparities in class-wise vulnerability. This results in adversarial unfairness: classes with well distinguishable features (strong classes) tend to become more robust, while classes with overlapping or shared features(weak classes) remain disproportionately susceptible to adversarial attacks. We observe that strong classes do not require strong adversaries during training, as their non-robust features are quickly suppressed. In contrast, weak classes benefit from stronger adversaries to effectively reduce their vulnerabilities. Motivated by this, we introduce TRIX, a feature-aware adversarial training framework that adaptively assigns weaker targeted adversaries to strong classes, promoting feature diversity via uniformly sampled targets, and stronger untargeted adversaries to weak classes, enhancing their focused robustness. TRIX further incorporates per-class loss weighting and perturbation strength adjustments, building on prior work, to emphasize weak classes during the optimization. Comprehensive experiments on standard image classification benchmarks, including evaluations under strong attacks such as PGD and AutoAttack, demonstrate that TRIX significantly improves worst-case class accuracy on both clean and adversarial data, reducing inter-class robustness disparities, and preserves overall accuracy. Our results highlight TRIX as a practical step toward fair and effective adversarial defense.