Towards Out-of-Distribution Adversarial Robustness
Keywords: adversarial, robustness, REx, OOD
TL;DR: We use the out-of-distribution generalisation approach of Risk Extrapolation (REx) to obtain superior robustness against multiple adversarial attacks, which generalises to attacks not seen during training.
Abstract: Adversarial robustness continues to be a major challenge for deep learning. A core issue is that robustness to one type of attack often fails to transfer to other attacks. While prior work establishes a theoretical trade-off in robustness against different $L_p$ norms, we show that there is potential for improvement against many commonly used attacks by adopting a domain generalisation approach.
Concretely, we treat each type of attack as a domain, and apply the Risk Extrapolation method (REx), which promotes similar levels of robustness against all training attacks. Compared to existing methods, we obtain similar or superior worst-case adversarial robustness on attacks seen during training. Moreover, we achieve superior performance on families or tunings of attacks only encountered at test time. On ensembles of attacks, our approach improves the accuracy from 3.4\% the best existing baseline to 25.9\% on MNIST, and from 16.9\% to 23.5\% on CIFAR10.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Submission Guidelines: Yes
Please Choose The Closest Area That Your Submission Falls Into: Deep Learning and representational learning
Supplementary Material: zip
Community Implementations: [ 2 code implementations](https://www.catalyzex.com/paper/arxiv:2210.03150/code)
19 Replies
Loading