Meta Adversarial Training
Keywords: robustness, adversarial examples, adversarial training, physical-world adversarial attacks, adversarial patch, universal perturbation
Abstract: Recently demonstrated physical-world adversarial attacks have exposed vulnerabilities in perception systems that pose severe risks for safety-critical applications such as autonomous driving. These attacks place adversarial artifacts in the physical world that indirectly cause the addition of universal perturbations to inputs of a model that can fool it in a variety of contexts. Adversarial training is the most effective defense against image-dependent adversarial attacks. However, tailoring adversarial training to universal perturbations is computationally expensive since the optimal universal perturbations depend on the model weights which change during training. We propose meta adversarial training (MAT), a novel combination of adversarial training with meta-learning, which overcomes this challenge by meta-learning universal perturbations along with model training. MAT requires little extra computation while continuously adapting a large set of perturbations to the current model. We present results for universal patch and universal perturbation attacks on image classification and traffic-light detection. MAT considerably increases robustness against universal patch attacks compared to prior work.
One-sentence Summary: We propose Meta Adversarial Training (MAT), which allows efficiently training models with largely increased robustness against universal patch and universal perturbation attacks.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Supplementary Material: zip
Community Implementations: [ 1 code implementation](https://www.catalyzex.com/paper/arxiv:2101.11453/code)
Reviewed Version (pdf): https://openreview.net/references/pdf?id=uUYtvoFdX
8 Replies
Loading