Affine-Invariant Robust Training
This work addresses the vulnerability of machine learning models to affine transformations, offering a method to enhance robustness, but it appears incremental as it builds on existing spatial robustness methods and data augmentation techniques.
The paper tackles the problem of adversarial robustness by focusing on affine transformations as natural perturbations, proposing evolution strategies to find worst-case affine transforms for each input, which effectively yields robust models and allows non-parametric adversarial perturbations.
The field of adversarial robustness has attracted significant attention in machine learning. Contrary to the common approach of training models that are accurate in average case, it aims at training models that are accurate for worst case inputs, hence it yields more robust and reliable models. Put differently, it tries to prevent an adversary from fooling a model. The study of adversarial robustness is largely focused on $\ell_p-$bounded adversarial perturbations, i.e. modifications of the inputs, bounded in some $\ell_p$ norm. Nevertheless, it has been shown that state-of-the-art models are also vulnerable to other more natural perturbations such as affine transformations, which were already considered in machine learning within data augmentation. This project reviews previous work in spatial robustness methods and proposes evolution strategies as zeroth order optimization algorithms to find the worst affine transforms for each input. The proposed method effectively yields robust models and allows introducing non-parametric adversarial perturbations.