A Useful Taxonomy for Adversarial Robustness of Neural Networks
This work offers a fresh perspective on adversarial defenses for the deep learning community, potentially inspiring novel solutions, but it appears incremental as it builds on existing review categories without presenting new empirical results.
The paper tackles the problem of adversarial robustness in neural networks by proposing a new taxonomy that reframes defense approaches into increasing intra-class compactness and inter-class separation or marginalizing non-robust features, aiming to provide insights for training more robust networks and challenging the universality of robustness-accuracy trade-offs.
Adversarial attacks and defenses are currently active areas of research for the deep learning community. A recent review paper divided the defense approaches into three categories; gradient masking, robust optimization, and adversarial example detection. We divide gradient masking and robust optimization differently: (1) increasing intra-class compactness and inter-class separation of the feature vectors improves adversarial robustness, and (2) marginalization or removal of non-robust image features also improves adversarial robustness. By reframing these topics differently, we provide a fresh perspective that provides insight into the underlying factors that enable training more robust networks and can help inspire novel solutions. In addition, there are several papers in the literature of adversarial defenses that claim there is a cost for adversarial robustness, or a trade-off between robustness and accuracy but, under this proposed taxonomy, we hypothesis that this is not universal. We follow up on our taxonomy with several challenges to the deep learning research community that builds on the connections and insights in this paper.