Robustness-via-synthesis: Robust training with generative adversarial perturbations

Abstract

Upon the discovery of adversarial attacks, robust models have become obligatory for deep learning-based systems. Adversarial training with first-order attacks has been one of the most effective defenses against adversarial perturbations to this day. The majority of the adversarial training approaches focus on iteratively perturbing each pixel with the gradient of the loss function with respect to the input image. However, the adversarial training with gradient-based attacks lacks diversity and does not generalize well to natural images and various attacks. This study presents a robust training algorithm where the adversarial perturbations are automatically synthesized from a random vector using a generator network. The classifier is trained with cross-entropy loss regularized with the optimal transport distance between the representations of the natural and synthesized adversarial samples. Unlike prevailing generative defenses, the proposed one-step attack generation framework synthesizes diverse perturbations without utilizing the gradient of the classifier’s loss. The main contributions of the proposed robust training framework are: i) preserving the state-of-the-art generalization performance of the deep model, ii) not requiring an iterative or recursive scheme, and iii) providing robustness that is comparable with the state-of-the-art in literature. Experimental results show that the proposed approach attains comparable robustness with various gradient-based and generative robust training techniques on CIFAR10, CIFAR100, SVHN, and Tiny ImageNet datasets. In addition, compared to the baselines, the proposed robust training framework generalizes well to the natural samples. Code and trained models are available here https://github.com/ALLab-Boun/robustness-via-synthesis.git.