[论文解读] Learning to Generate Noise for Robustness against Multiple Perturbations.
本文提出元噪声生成器(MNG),一种元学习框架,可生成对抗性噪声以同时提升模型对多种扰动类型的鲁棒性。通过在训练过程中随机采样攻击,MNG 在相比联合训练所有扰动类型的情况下,以极低的计算开销实现了对多种未见扰动的强防御性能。
Adversarial learning has emerged as one of the successful techniques to circumvent the susceptibility of existing methods against adversarial perturbations. However, the majority of existing defense methods are tailored to defend against a single category of adversarial perturbation (e.g. $\ell_\infty$-attack). In safety-critical applications, this makes these methods extraneous as the attacker can adopt diverse adversaries to deceive the system. To tackle this challenge of robustness against multiple perturbations, we propose a novel meta-learning framework that explicitly learns to generate noise to improve the model's robustness against multiple types of attacks. Specifically, we propose Meta Noise Generator (MNG) that outputs optimal noise to stochastically perturb a given sample, such that it helps lower the error on diverse adversarial perturbations. However, training on multiple perturbations simultaneously significantly increases the computational overhead during training. To address this issue, we train our MNG while randomly sampling an attack at each epoch, which incurs negligible overhead over standard adversarial training. We validate the robustness of our framework on various datasets and against a wide variety of unseen perturbations, demonstrating that it significantly outperforms the relevant baselines across multiple perturbations with marginal computational cost compared to the multiple perturbations training.
研究动机与目标
- 解决现有防御方法仅对单一类型对抗性扰动有效这一局限性。
- 提升在攻击者可能采用多样化扰动策略的安全关键应用中的鲁棒性。
- 开发一种可泛化到多种攻击类型下未见扰动的防御框架。
- 在保持对多种扰动鲁棒性的同时,降低训练过程中的计算成本。
提出的方法
- 所提出的元噪声生成器(MNG)学习生成最优噪声,通过随机扰动输入样本以提升鲁棒性。
- MNG 采用元学习范式进行训练,每个训练周期随机采样一种攻击。
- 通过生成能稳定模型预测的噪声,框架优化在多种对抗性扰动下的更低误差。
- 噪声生成过程可微,支持使用标准反向传播进行端到端训练。
- 该方法避免同时对所有扰动进行联合训练,从而降低计算开销。
- 该方法通过在训练过程中随机采样攻击,高效模拟多扰动鲁棒性。
实验结果
研究问题
- RQ1单一防御框架能否实现对多种多样化对抗性扰动类型的鲁棒性?
- RQ2基于元学习的噪声生成器在多种扰动上的性能与标准对抗训练相比如何?
- RQ3与联合训练相比,使用所提方法训练模型以防御多种扰动的计算成本如何?
- RQ4使用 MNG 训练的模型能否泛化到训练过程中未见过的扰动类型?
- RQ5在训练过程中随机采样攻击能否有效模拟对多种扰动的鲁棒性?
主要发现
- MNG 框架在多种扰动类型下的鲁棒性显著优于现有基线方法。
- 该方法在未见扰动上表现出强大的防御性能,展示了良好的泛化能力。
- 与同时训练所有扰动相比,MNG 的计算成本微乎其微。
- 在训练过程中随机采样攻击能有效实现对多种扰动的鲁棒性,且开销可忽略不计。
- 即使在测试时面对训练分布中未包含的扰动,该框架仍能保持高度鲁棒性。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。