IAM

ARTICLE

ArXiv Pre-Print “Adversarial Training against Location-Optimized Adversarial Patches”

While robustness against imperceptible adversarial examples is well-studied, robustness against visible adversarial perturbations such as adversarial patches is poorly understood. In this pre-print, we present a practical approach to obtain adversarial patches while actively optimizing their location within the image. On Cifar10 and GTSRB, we show that adversarial training on these location-optimized adversarial patches improves robustness significantly while not reducing accuracy.

This is joint work with Sukrut Rao.

Abstract

Figure 1: Left: comparison between regular, usually imperceptible, adversarial examples and clearly visible adversarial patches. Middle: Adversarial patches are constrained to the border of images and the location can be update during the attack. This procedure allows the attack to systematically exploit vulnerable locations, as illustrated in the heatmap at the bottom right for an adversariall trained model. Right: Adversarial training on location-optimized adversarial patches allows to improve robustness significantly (lower robust test error) while not increasing test error on clean examples.

Deep neural networks have been shown to be susceptible to adversarial examples -- small, imperceptible changes constructed to cause mis-classification in otherwise highly accurate image classifiers. As a practical alternative, recent work proposed so-called adversarial patches: clearly visible, but adversarially crafted rectangular patches in images. These patches can easily be printed and applied in the physical world. While defenses against imperceptible adversarial examples have been studied extensively, robustness against adversarial patches is poorly understood. In this work, we first devise a practical approach to obtain adversarial patches while actively optimizing their location within the image. Then, we apply adversarial training on these location-optimized adversarial patches and demonstrate significantly improved robustness on CIFAR10 and GTSRB. Additionally, in contrast to adversarial training on imperceptible adversarial examples, our adversarial patch training does not reduce accuracy.

Paper on ArXiv

@article{Rao2020ARXIV,
    author    = {Sukrut Rao and David Stutz and Bernt Schiele},
    title     = {Adversarial Training against Location-Optimized Adversarial Patches},
    journal   = {CoRR},
    volume    = {abs/2005.02313},
    year      = {2020}
}
What is your opinion on this article? Let me know your thoughts on Twitter @davidstutz92 or LinkedIn in/davidstutz92.