The Robust Manifold Defense: Adversarial Training using Generative Models

TL;DR

This work reframes adversarial robustness through the lens of data manifolds learned by spanners (GAN/VAE decoders) and introduces an overpowered latent-space attack that searches pairs of latent codes with near-identical manifold images but conflicting classifier outputs. The authors show projection-based defenses such as INC and DefenseGAN can be fully circumvented by white-box latent-space optimizations and then leverage this attack to bolster defenses via a robust min–max formulation (Robust Manifold Defense) and adversarial training. On MNIST, the approach yields the most robust known classifier against white-box $\\ell_2$-bounded attacks (up to 96.26% accuracy at $\\delta=1.5$), outperforming TRADES and Madry-style baselines, with additional experiments on CelebA illustrating practical implications. Overall, the paper highlights the value and limits of manifold-based defenses and demonstrates that leveraging latent-space adversaries can both break existing defenses and drive stronger, more data-efficient adversarial training.

Abstract

We propose a new type of attack for finding adversarial examples for image classifiers. Our method exploits spanners, i.e. deep neural networks whose input space is low-dimensional and whose output range approximates the set of images of interest. Spanners may be generators of GANs or decoders of VAEs. The key idea in our attack is to search over latent code pairs to find ones that generate nearby images with different classifier outputs. We argue that our attack is stronger than searching over perturbations of real images. Moreover, we show that our stronger attack can be used to reduce the accuracy of Defense-GAN to 3\%, resolving an open problem from the well-known paper by Athalye et al. We combine our attack with normal adversarial training to obtain the most robust known MNIST classifier, significantly improving the state of the art against PGD attacks. Our formulation involves solving a min-max problem, where the min player sets the parameters of the classifier and the max player is running our attack, and is thus searching for adversarial examples in the {\em low-dimensional} input space of the spanner. All code and models are available at \url{https://github.com/ajiljalal/manifold-defense.git}

Figures (6)

• Figure 1: Attacks against DefenseGAN. The top row shows images from the MNIST test set and the bottom row shows their corresponding perturbed versions. The attacks constructed in the bottom row satsify the perturbation constraint imposed by athalye2018obfuscated and also successfully break DefenseGAN, i.e. are misclassified.
• Figure 2: Pairs of images $G(z)$ and $G(z')$ generated by our overpowered attack, such that they are classified differently by a model trained using the adversarial training algorithm in madry2017towards. These images are used for adversarial training by penalizing the cross entropy loss of the classifier's prediction on pairs of images. We observe that using these images in conjunction with samples from madry2017towards improves robustness. Note that the final evaluation of robustness is performed on the actual MNIST test set images.
• Figure 3: Pairs of images $G(z)$ and $G(z')$ generated by our overpowered attack on a non robust gender classifier on the CelebA dataset. These images are very close but the confidence of the classifier changes drastically. These pairs of images are adversarial attacks for this classifier which lie on the manifold of a generator.
• Figure 4: The softmax output of both the original (blue) and robust adversarially trained (green) classifier on the images generated by the attack on the non-robustified classifier. As shown, the robust projection defense makes the classifier reduce its confidence on such borderline images.
• Figure 5: The average $||C(G(z)) - C(G(z'))||_2$ for pairs $(z, z')$ found by the attack.