AdvMS: A Multi-source Multi-cost Defense Against Adversarial Attacks
This work addresses the need for more effective and adaptable defenses in security-critical applications like malware detection and self-driving cars, representing an incremental advancement over existing methods.
The paper tackles the plateauing robustness and escalating costs of single-source defenses against adversarial attacks by proposing AdvMS, a multi-source multi-cost scheme that combines adversarial training and random model switching, achieving flexible robustness improvements with adjustable costs.
Designing effective defense against adversarial attacks is a crucial topic as deep neural networks have been proliferated rapidly in many security-critical domains such as malware detection and self-driving cars. Conventional defense methods, although shown to be promising, are largely limited by their single-source single-cost nature: The robustness promotion tends to plateau when the defenses are made increasingly stronger while the cost tends to amplify. In this paper, we study principles of designing multi-source and multi-cost schemes where defense performance is boosted from multiple defending components. Based on this motivation, we propose a multi-source and multi-cost defense scheme, Adversarially Trained Model Switching (AdvMS), that inherits advantages from two leading schemes: adversarial training and random model switching. We show that the multi-source nature of AdvMS mitigates the performance plateauing issue and the multi-cost nature enables improving robustness at a flexible and adjustable combination of costs over different factors which can better suit specific restrictions and needs in practice.