Semi-supervised robust training with generalized perturbed neighborhood

Abstract

Adversarial examples have been shown to be a severe threat to deep neural networks (DNNs). One of the most effective adversarial defense methods is adversarial training (AT) through minimizing the adversarial risk Radv, which encourages both the benign example x and its adversarially perturbed neighborhoods within the ℓp-ball to be predicted as the ground-truth label. In this paper, we propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks (i.e., Rstand and Rrob), which are with respect to the benign example and its neighborhoods, respectively. The motivation is to explicitly and jointly enhance the accuracy and the adversarial robustness. We prove that Radv is upper-bounded by Rstand+Rrob, which implies that RT has similar effect as AT. Intuitively, minimizing the standard risk enforces the benign example to be correctly predicted, while the robust risk minimization encourages the predictions of the neighbor examples to be consistent with the prediction of the benign example. Besides, since Rrob is independent of the ground-truth label, RT is naturally extended to the semi-supervised mode (i.e., SRT), to further enhance its effectiveness. Moreover, we extend the ℓp-bounded neighborhood to a general case, which covers different types of perturbations, such as the pixel-wise (i.e., x+δ) or the spatial perturbation (i.e., Ax+b). Extensive experiments on benchmark datasets not only verify the superiority of the proposed SRT to state-of-the-art methods for defending pixel-wise or spatial perturbations separately but also demonstrate its robustness to both perturbations simultaneously. Our work may shed the light on the understanding of universal model robustness and the potential of unlabeled samples. The code for reproducing main results is available at https://github.com/THUYimingLi/Semi-supervised_Robust_Training.