Robust Dynamical Step Adversarial Training Defense for Deep Neural Networks

Abstract

Although machine learning (ML) algorithms show impressive performance on computer vision tasks, neural networks are still vulnerable to adversarial examples. Adversarial examples typically stay indistinguishable to human, while they can dramatically decrease the classifying accuracy of the neural network. Adversarial training generates such examples and train them together with the clean data to increase robustness. Researchers has stated that the ”projected gradient descent” (PGD) adversarial training method specifies a concrete security guarantee on the neural network against adversarial attacks. The model trained with PGD adversaries performs robust against several different gradient based attack methods under l∞-norm. This work proposes a Dynamical Step Adversarial (DSA) training method to generate adversaries for training by dynamically adjusting the length of step during each iteration. The paper demonstrates the robustness of DSA adversarial training model against different gradient-based attacks. The performance of the DSA training model under different l∞-norm measurement attacks is compared with other protection methods. Finally, DSA with different numbers of steps are compared under Fast Gradient Sign Method (FGSM) and PGD attacks.