Learning to Defend by Learning to Attack
This work addresses the problem of enhancing robustness in neural networks against adversarial attacks for machine learning practitioners, offering an incremental improvement over existing adversarial training methods.
The paper tackles the difficulty of solving the bilevel optimization problem in adversarial training by proposing a learning-to-learn framework that learns an optimizer for generating adversarial samples, resulting in improved classification accuracy and computational efficiency on CIFAR-10 and CIFAR-100 datasets.
Adversarial training provides a principled approach for training robust neural networks. From an optimization perspective, adversarial training is essentially solving a bilevel optimization problem. The leader problem is trying to learn a robust classifier, while the follower problem is trying to generate adversarial samples. Unfortunately, such a bilevel problem is difficult to solve due to its highly complicated structure. This work proposes a new adversarial training method based on a generic learning-to-learn (L2L) framework. Specifically, instead of applying existing hand-designed algorithms for the inner problem, we learn an optimizer, which is parametrized as a convolutional neural network. At the same time, a robust classifier is learned to defense the adversarial attack generated by the learned optimizer. Experiments over CIFAR-10 and CIFAR-100 datasets demonstrate that L2L outperforms existing adversarial training methods in both classification accuracy and computational efficiency. Moreover, our L2L framework can be extended to generative adversarial imitation learning and stabilize the training.