Joint Adversarial Training: Incorporating both Spatial and Pixel Attacks
This work addresses the vulnerability of machine learning models to adversarial attacks, which is a critical issue for security in AI applications, and it is incremental by combining existing attack types.
The paper tackles the problem of adversarial robustness by proposing a joint adversarial training method that incorporates both spatial transformation-based and pixel-value based attacks, resulting in improved model robustness as verified by extensive experiments on benchmark datasets.
Conventional adversarial training methods using attacks that manipulate the pixel value directly and individually, leading to models that are less robust in face of spatial transformation-based attacks. In this paper, we propose a joint adversarial training method that incorporates both spatial transformation-based and pixel-value based attacks for improving model robustness. We introduce a spatial transformation-based attack with an explicit notion of budget and develop an algorithm for spatial attack generation. We further integrate both pixel and spatial attacks into one generation model and show how to leverage the complementary strengths of each other in training for improving the overall model robustness. Extensive experimental results on different benchmark datasets compared with state-of-the-art methods verified the effectiveness of the proposed method.