Improving Model Robustness with Latent Distribution Locally and Globally

Zhuang QIAN; Shufei Zhang; Kaizhu Huang; Qiufeng Wang; Rui Zhang; Xinping Yi

Improving Model Robustness with Latent Distribution Locally and Globally

Zhuang QIAN, Shufei Zhang, Kaizhu Huang, Qiufeng Wang, Rui Zhang, Xinping Yi

28 Sept 2020 (modified: 22 Oct 2023)ICLR 2021 Conference Blind SubmissionReaders: Everyone

Keywords: adversarial example, robustness, data manifold, adversarial training

Abstract: We propose a novel adversarial training method which leverages both the local and global information to defend adversarial attacks. Existing adversarial training methods usually generate adversarial perturbations locally in a supervised manner and fail to consider the data manifold information in a global way. Consequently, the resulting adversarial examples may corrupt the underlying data structure and are typically biased towards the decision boundary. In this work, we exploit both the local and global information of data manifold to generate adversarial examples in an unsupervised manner. Specifically, we design our novel framework via an adversarial game between a discriminator and a classifier: the discriminator is learned to differentiate the latent distributions of the natural data and the perturbed counterpart, while the classifier is trained to recognize accurately the perturbed examples as well as enforcing the invariance between the two latent distributions. We conduct a series of analysis on the model robustness and also verify the effectiveness of our proposed method empirically. Experimental results show that our method substantially outperforms the recent state-of-the-art (i.e. Feature Scattering) in defending adversarial attacks by a large accuracy margin (e.g. $17.0\%$ and $18.1\%$ on SVHN dataset, $9.3\%$ and $17.4\%$ on CIFAR-10 dataset, $6.0\%$ and $16.2\%$ on CIFAR-100 dataset for defending PGD20 and CW20 attacks respectively).

One-sentence Summary: We propose a novel adversarial training method which leverages both the local and global information to defend adversarial attacks.

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics

Supplementary Material: zip

Community Implementations: [![CatalyzeX](/images/catalyzex_icon.svg) 1 code implementation](https://www.catalyzex.com/paper/arxiv:2107.04401/code)

Reviewed Version (pdf): https://openreview.net/references/pdf?id=Hak4wSTLQa

14 Replies

Loading