On Norm-Agnostic Robustness of Adversarial Training
This work addresses a critical vulnerability in adversarial training for machine learning security, though it is incremental as it builds on existing defense methods.
The paper identifies that state-of-the-art adversarial training fails to achieve robustness against perturbations in both ℓ₂ and ℓ∞ norms simultaneously, and proposes a new attack to reveal this issue while discussing a potential solution and its limitations.
Adversarial examples are carefully perturbed in-puts for fooling machine learning models. A well-acknowledged defense method against such examples is adversarial training, where adversarial examples are injected into training data to increase robustness. In this paper, we propose a new attack to unveil an undesired property of the state-of-the-art adversarial training, that is it fails to obtain robustness against perturbations in $\ell_2$ and $\ell_\infty$ norms simultaneously. We discuss a possible solution to this issue and its limitations as well.