minmax-adv

Adversarial Attack Generation Empowered by
Min-Max Optimization

Jingkang Wang Tianyun Zhang Sijia Liu Pin-Yu Chen
Jiacen Xu Makan Fardad Bo Li

In Advances in Neural Information Processing Systems (NeurIPS), 2021

Beyond AT, can other types of min-max formulation and optimization techniques advance the research in adversarial attack generation? In this paper, we give an affirmative answer corroborated by the substantial performance gain and the ability of self-learned risk interpretation using our proposed min-max framework on several tasks for adversarial attack.

News

[Dec 2021 - NeurIPS21 week] Come and check our poster: neurips.cc/virtual/2021/poster/27929 (live session: Wed 8 Dec 4:30 p.m. PST — 6 p.m. PST)!
[Dec 2021] Project page is up: [Paper], [Poster] and [Slide] are online.
[Dec 2021] A minimal pytorch implementation of our APGDA attack is available here (only several lines added compared to standard PGD)!
[Oct 2021] Our code (TF 1.x) is available here: https://github.com/wangjksjtu/minmax-adv

Resources

Paper

Code (Github)

Conference Presentation

Slide (3.8 MB)

Conference poster (2.6 MB)

Cite

Abstract

The worst-case training principle that minimizes the maximal adversarial loss, also known as adversarial training (AT), has shown to be a state-of-the-art approach for enhancing adversarial robustness. Nevertheless, min-max optimization beyond the purpose of AT has not been rigorously explored in the adversarial context. In this paper, we show how a general framework of min-max optimization over multiple domains can be leveraged to advance the design of different types of adversarial attacks. In particular, given a set of risk sources, minimizing the worst-case attack loss can be reformulated as a min-max problem by introducing domain weights that are maximized over the probability simplex of the domain set. We showcase this unified framework in three attack generation problems -- attacking model ensembles, devising universal perturbation under multiple inputs, and crafting attacks resilient to data transformations. Extensive experiments demonstrate that our approach leads to substantial attack improvement over the existing heuristic strategies as well as robustness improvement over state-of-the-art defense methods trained to be robust against multiple perturbation types. Furthermore, we find that the self-adjusted domain weights learned from our min-max framework can provide a holistic tool to explain the difficulty level of attack across domains.

Min-Max Power in Attack Design

(a) Ensemble Attack over Multiple Models

(a) Universal perturbation over multiple examples

(a) Robust attack over data transformations

Results

(a) Significant improvements over the average strategy on three robust adversarial attacks

(b) Outperforms heuristic strategies in an affordable way

(d) A holistic tool to interpret the risk of different domain sources

Citation

BibTeX

@inproceedings{wang2021adversarial,
title = {Adversarial Attack Generation Empowered by Min-Max Optimization},
author = {Jingkang Wang and Tianyun Zhang and Sijia Liu and Pin-Yu Chen and Jiacen Xu and Makan Fardad and Bo Li},
booktitle = {Thirty-Fifth Conference on Neural Information Processing Systems},
year = {2021},
url = {https://openreview.net/forum?id=xlNpxfGMTTu}
}

Text citation

Jingkang Wang, Tianyun Zhang, Sijia Liu, Pin-Yu Chen, Jiacen Xu, Makan Fardad and Bo Li. Adversarial Attack Generation Empowered by Min-Max Optimization. In Thirty-Fifth Conference on Neural Information Processing Systems (NeurIPS), 2021.