Towards Optimal Randomized Strategies in Adversarial Example Game
This addresses a practical challenge in AI security by providing an efficient solution for adversarial defense in fully randomized settings, though it is incremental as it builds on prior work on randomization in adversarial training.
The paper tackles the lack of efficient algorithms for finding optimal randomized strategies in adversarial example games where both defender and attacker can randomize, proposing FRAT, a novel algorithm that models the problem with an infinite-dimensional continuous-time flow on probability distributions and converges to mixed Nash equilibria, with experimental validation on CIFAR-10 and CIFAR-100 datasets.
The vulnerability of deep neural network models to adversarial example attacks is a practical challenge in many artificial intelligence applications. A recent line of work shows that the use of randomization in adversarial training is the key to find optimal strategies against adversarial example attacks. However, in a fully randomized setting where both the defender and the attacker can use randomized strategies, there are no efficient algorithm for finding such an optimal strategy. To fill the gap, we propose the first algorithm of its kind, called FRAT, which models the problem with a new infinite-dimensional continuous-time flow on probability distribution spaces. FRAT maintains a lightweight mixture of models for the defender, with flexibility to efficiently update mixing weights and model parameters at each iteration. Furthermore, FRAT utilizes lightweight sampling subroutines to construct a random strategy for the attacker. We prove that the continuous-time limit of FRAT converges to a mixed Nash equilibria in a zero-sum game formed by a defender and an attacker. Experimental results also demonstrate the efficiency of FRAT on CIFAR-10 and CIFAR-100 datasets.