Adversarial Attack Generation Empowered by
Min-Max Optimization


In Advances in Neural Information Processing Systems (NeurIPS), 2021
Beyond AT, can other types of min-max formulation and optimization techniques advance the research in adversarial attack generation? In this paper, we give an affirmative answer corroborated by the substantial performance gain and the ability of self-learned risk interpretation using our proposed min-max framework on several tasks for adversarial attack.


News



Abstract

The worst-case training principle that minimizes the maximal adversarial loss, also known as adversarial training (AT), has shown to be a state-of-the-art approach for enhancing adversarial robustness. Nevertheless, min-max optimization beyond the purpose of AT has not been rigorously explored in the adversarial context. In this paper, we show how a general framework of min-max optimization over multiple domains can be leveraged to advance the design of different types of adversarial attacks. In particular, given a set of risk sources, minimizing the worst-case attack loss can be reformulated as a min-max problem by introducing domain weights that are maximized over the probability simplex of the domain set. We showcase this unified framework in three attack generation problems -- attacking model ensembles, devising universal perturbation under multiple inputs, and crafting attacks resilient to data transformations. Extensive experiments demonstrate that our approach leads to substantial attack improvement over the existing heuristic strategies as well as robustness improvement over state-of-the-art defense methods trained to be robust against multiple perturbation types. Furthermore, we find that the self-adjusted domain weights learned from our min-max framework can provide a holistic tool to explain the difficulty level of attack across domains.

BibTeX
@inproceedings{wang2021adversarial,
title = {Adversarial Attack Generation Empowered by Min-Max Optimization},
author = {Jingkang Wang and Tianyun Zhang and Sijia Liu and Pin-Yu Chen and Jiacen Xu and Makan Fardad and Bo Li},
booktitle = {Thirty-Fifth Conference on Neural Information Processing Systems},
year = {2021},
url = {https://openreview.net/forum?id=xlNpxfGMTTu}
}
Text citation

Jingkang Wang, Tianyun Zhang, Sijia Liu, Pin-Yu Chen, Jiacen Xu, Makan Fardad and Bo Li. Adversarial Attack Generation Empowered by Min-Max Optimization. In Thirty-Fifth Conference on Neural Information Processing Systems (NeurIPS), 2021.


Min-Max Power in Attack Design
(a) Ensemble Attack over Multiple Models
(a) Universal perturbation over multiple examples
(a) Robust attack over data transformations

Results
(a) Significant improvements over the average strategy on three robust adversarial attacks
(b) Outperforms heuristic strategies in an affordable way
(c) State-of-the-art defense over multiple perturbation domains
(d) A holistic tool to interpret the risk of different domain sources

Citation
@inproceedings{wang2021adversarial,
title     = {Adversarial Attack Generation Empowered by Min-Max Optimization},
author    = {Jingkang Wang and Tianyun Zhang and Sijia Liu and Pin-Yu Chen and Jiacen Xu and Makan Fardad and Bo Li},
booktitle = {Thirty-Fifth Conference on Neural Information Processing Systems},
year      = {2021},
url       = {https://openreview.net/forum?id=xlNpxfGMTTu}
}