Defending Against Universal Perturbations With Shared Adversarial Training
This work addresses the robustness of deep neural networks against universal adversarial attacks, which is an incremental improvement for security in computer vision applications.
The paper tackles the vulnerability of classifiers to universal adversarial perturbations, showing that adversarial training is more effective against them but can degrade performance on clean data; they propose an extension to better handle this trade-off, demonstrating that resulting perturbations become perceptible and reveal target scene patterns in image classification and semantic segmentation.
Classifiers such as deep neural networks have been shown to be vulnerable against adversarial perturbations on problems with high-dimensional input space. While adversarial training improves the robustness of image classifiers against such adversarial perturbations, it leaves them sensitive to perturbations on a non-negligible fraction of the inputs. In this work, we show that adversarial training is more effective in preventing universal perturbations, where the same perturbation needs to fool a classifier on many inputs. Moreover, we investigate the trade-off between robustness against universal perturbations and performance on unperturbed data and propose an extension of adversarial training that handles this trade-off more gracefully. We present results for image classification and semantic segmentation to showcase that universal perturbations that fool a model hardened with adversarial training become clearly perceptible and show patterns of the target scene.