Target Training Does Adversarial Training Without Adversarial Samples
This work provides a more efficient and effective defense mechanism against adversarial attacks for machine learning practitioners, particularly by removing the need for adversarial sample generation for a class of attacks.
This paper introduces Target Training, a method that defends against adversarial attacks by replacing adversarial samples with duplicated original samples labeled differently during training. This approach eliminates the need for generating adversarial samples for attacks that minimize perturbation, achieving 84.8% accuracy against CW-L2(κ=0) and 86.6% against DeepFool on CIFAR10, surpassing the default accuracy of 84.3% and current best defense accuracy below 25%. For attacks that do not minimize perturbation, Target Training with adversarial samples achieves 76.4% accuracy against CW-L2(κ=40), exceeding the current best defense of 69.1%.
Neural network classifiers are vulnerable to misclassification of adversarial samples, for which the current best defense trains classifiers with adversarial samples. However, adversarial samples are not optimal for steering attack convergence, based on the minimization at the core of adversarial attacks. The minimization perturbation term can be minimized towards $0$ by replacing adversarial samples in training with duplicated original samples, labeled differently only for training. Using only original samples, Target Training eliminates the need to generate adversarial samples for training against all attacks that minimize perturbation. In low-capacity classifiers and without using adversarial samples, Target Training exceeds both default CIFAR10 accuracy ($84.3$%) and current best defense accuracy (below $25$%) with $84.8$% against CW-L$_2$($κ=0$) attack, and $86.6$% against DeepFool. Using adversarial samples against attacks that do not minimize perturbation, Target Training exceeds current best defense ($69.1$%) with $76.4$% against CW-L$_2$($κ=40$) in CIFAR10.