Improved Image Wasserstein Attacks and Defenses
This work addresses the problem of developing more realistic adversarial robustness models for image classification, though it is incremental in refining an existing approach.
The paper tackles flaws in the previous Wasserstein threat model for image perturbations, proposing a better-defined framework that leads to stronger attacks and defenses, with results including improved robustness metrics and trained models available online.
Robustness against image perturbations bounded by a $\ell_p$ ball have been well-studied in recent literature. Perturbations in the real-world, however, rarely exhibit the pixel independence that $\ell_p$ threat models assume. A recently proposed Wasserstein distance-bounded threat model is a promising alternative that limits the perturbation to pixel mass movements. We point out and rectify flaws in previous definition of the Wasserstein threat model and explore stronger attacks and defenses under our better-defined framework. Lastly, we discuss the inability of current Wasserstein-robust models in defending against perturbations seen in the real world. Our code and trained models are available at https://github.com/edwardjhu/improved_wasserstein .