Robustifying ∞ Adversarial Training to the Union of Perturbation Models

Abstract

Classical adversarial training (AT) frameworks are designed to achieve high adversarial accuracy against a single attack type, typically ∞ norm-bounded perturbations. Recent extensions in AT have focused on defending against the union of multiple perturbations but this benefit is obtained at the expense of a significant (up to 10×) increase in training complexity over single-attack ∞ AT. In this work, we expand the capabilities of widely popular single-attack ∞ AT frameworks to provide robustness to the union of (∞, 2, 1) perturbations while preserving their training efficiency. Our technique, referred to as Shaped Noise Augmented Processing (SNAP), exploits a well-established byproduct of single-attack AT frameworks -- the reduction in the curvature of the decision boundary of networks. SNAP prepends a given deep net with a shaped noise augmentation layer whose distribution is learned along with network parameters using any standard single-attack AT. As a result, SNAP enhances adversarial accuracy of ResNet-18 on CIFAR-10 against the union of (∞, 2, 1) perturbations by 14%-to-20% for four state-of-the-art (SOTA) single-attack ∞ AT frameworks, and, for the first time, establishes a benchmark for ResNet-50 and ResNet-101 on ImageNet.