Thwarting Adversarial Attacks

There are many ways to create systems that are resistant to adversarial attacks. Most methods are simple and don’t require too much work. However, there are also more robust, advanced methods—they are more involved but are also more comprehensive and better at capturing a wider range of adversarial attacks.

These methods all include some level of “softening” the data or the model. Traditionally, data with the most direct relationship between the $X$ and $Y$ was the best way to achieve maximal performance. With adversarial methods, algorithms and processes that perform well but have a “fuzzier” relationship between $X$ and $Y$ are coveted. This is because if decision boundaries are very sharp (i.e., if $x=1, y=1$), it’s easy for attackers to identify the boundaries and generate examples that look normal to a human but are problematic for models. If the rules are softer and the algorithm can handle a wider variety of inputs, attackers will find it more difficult to trick the model.

Traditional methods

Let’s explore some conventional but very effective methods of thwarting adversarial attacks. These are not cutting-edge methods, though adversarial training in particular has been found to be the single most effective way to create more robust algorithms.

Adversarial training

Adversarial training is the process of augmenting the training set to a model in ways that cover many adversarial attack strategies. In computer vision, for example, adversarial training involves taking the original data and performing several operations on it—rotations, mirroring, color shifts, background lighting, etc.—prior to training. The new dataset is not only larger but also trains the model to be better at a variety of scenarios. An adversarial attack is less effective because subtle changes to the data are most likely not enough to trick the model. Models trained on this data (which can even involve combinations of augmentations like “rotate + scale”) become very robust.