Improved Network Robustness with Adversary Critic
This addresses the security and reliability issue of neural networks in applications like image recognition, though it is an incremental improvement over existing adversarial defense methods.
The paper tackles the problem of neural networks being vulnerable to small, imperceptible adversarial perturbations by proposing a novel robust classifier method using a GAN framework with an adversary critic and cycle-consistency constraints. The result shows improved robustness over adversarial training, with adversarial examples verified as visually confusing to humans.
Ideally, what confuses neural network should be confusing to humans. However, recent experiments have shown that small, imperceptible perturbations can change the network prediction. To address this gap in perception, we propose a novel approach for learning robust classifier. Our main idea is: adversarial examples for the robust classifier should be indistinguishable from the regular data of the adversarial target. We formulate a problem of learning robust classifier in the framework of Generative Adversarial Networks (GAN), where the adversarial attack on classifier acts as a generator, and the critic network learns to distinguish between regular and adversarial images. The classifier cost is augmented with the objective that its adversarial examples should confuse the adversary critic. To improve the stability of the adversarial mapping, we introduce adversarial cycle-consistency constraint which ensures that the adversarial mapping of the adversarial examples is close to the original. In the experiments, we show the effectiveness of our defense. Our method surpasses in terms of robustness networks trained with adversarial training. Additionally, we verify in the experiments with human annotators on MTurk that adversarial examples are indeed visually confusing. Codes for the project are available at https://github.com/aam-at/adversary_critic.