Improved Adversarial Training via Learned Optimizer
This work addresses the problem of improving adversarial robustness for deep learning models, offering an incremental advance by optimizing the inner maximization step in adversarial training.
The paper tackles the challenge of adversarial training's minimax optimization by showing that the PGD attack is suboptimal for inner maximization and that an improved inner optimizer enhances model robustness. They use a learning-to-learn framework with recurrent neural networks to co-train an adaptive optimizer and model weights, achieving consistent robustness improvements over PGD-based adversarial training and TRADES.
Adversarial attack has recently become a tremendous threat to deep learning models. To improve the robustness of machine learning models, adversarial training, formulated as a minimax optimization problem, has been recognized as one of the most effective defense mechanisms. However, the non-convex and non-concave property poses a great challenge to the minimax training. In this paper, we empirically demonstrate that the commonly used PGD attack may not be optimal for inner maximization, and improved inner optimizer can lead to a more robust model. Then we leverage a learning-to-learn (L2L) framework to train an optimizer with recurrent neural networks, providing update directions and steps adaptively for the inner problem. By co-training optimizer's parameters and model's weights, the proposed framework consistently improves the model robustness over PGD-based adversarial training and TRADES.