Timezone: »

 
Toward Efficient Robust Training against Union of Lp Threat Models
Gaurang Sriramanan · Maharshi Gor · Soheil Feizi

Fri Jul 22 07:12 AM -- 07:18 AM (PDT) @
in New Frontiers in Adversarial Machine Learning »

The overwhelming vulnerability of deep neural networks to carefully crafted perturbations known as adversarial attacks has led to the development of various training techniques to produce robust models. While the primary focus of existing approaches has been directed toward addressing the worst-case performance achieved under a single-threat model, it is imperative that safety-critical systems are robust with respect to multiple threat models simultaneously. Existing approaches that address worst-case performance under the union of such threat models (e.g. L-infinity, L2, L1) either utilize adversarial training methods that require multi-step attacks which are computationally expensive in practice, or rely upon fine-tuning of pre-trained models that are robust with respect to a single-threat model. In this work, we show that by carefully choosing the objective function used for robust training, it is possible to achieve similar, or even improved worst-case performance over a union of threat models while utilizing only single-step attacks during the training, thereby achieving a significant reduction in computational resources necessary for training. Furthermore, prior work showed that adversarial training against the L1 threat model is relatively difficult, to the extent that even multi-step adversarially trained models were shown to be prone to gradient-masking and catastrophic overfitting. However, our proposed method—when applied on the L1 threat model specifically—enables us to obtain the first L1 robust model trained solely with single-step adversarial attacks.

Author Information

Gaurang Sriramanan (University of Maryland, College Park)
Maharshi Gor (Google)
Soheil Feizi (University of Maryland)

More from the Same Authors