Can Go AIs be adversarially robust?
This work addresses the challenge of adversarial robustness in AI systems, even in favorable domains like Go, highlighting gaps in defense generalization and training diversity, which is incremental as it builds on prior findings of vulnerabilities.
The paper investigates whether superhuman Go AIs can be made robust against adversarial attacks, particularly cyclic strategies, by testing defenses like adversarial training and architectural changes, but finds that none withstand newly trained adversaries, with most effective attacks still being cyclic in nature.
Prior work found that superhuman Go AIs can be defeated by simple adversarial strategies, especially "cyclic" attacks. In this paper, we study whether adding natural countermeasures can achieve robustness in Go, a favorable domain for robustness since it benefits from incredible average-case capability and a narrow, innately adversarial setting. We test three defenses: adversarial training on hand-constructed positions, iterated adversarial training, and changing the network architecture. We find that though some of these defenses protect against previously discovered attacks, none withstand freshly trained adversaries. Furthermore, most of the reliably effective attacks these adversaries discover are different realizations of the same overall class of cyclic attacks. Our results suggest that building robust AI systems is challenging even with extremely superhuman systems in some of the most tractable settings, and highlight two key gaps: efficient generalization of defenses, and diversity in training. For interactive examples of attacks and a link to our codebase, see https://goattack.far.ai.