AutoJoin: Efficient Adversarial Training against Gradient-Free Perturbations for Robust Maneuvering via Denoising Autoencoder and Joint Learning

TL;DR

This work proposes a gradient-free adversarial training technique, named AutoJoin, to effectively and efficiently produce robust models for image-based maneuvering, and achieves significant performance increases up to the 40% range against perturbations while improving on clean performance up to 300%.

Abstract

With the growing use of machine learning algorithms and ubiquitous sensors, many `perception-to-control' systems are being developed and deployed. To ensure their trustworthiness, improving their robustness through adversarial training is one potential approach. We propose a gradient-free adversarial training technique, named AutoJoin, to effectively and efficiently produce robust models for image-based maneuvering. Compared to other state-of-the-art methods with testing on over 5M images, AutoJoin achieves significant performance increases up to the 40% range against perturbations while improving on clean performance up to 300%. AutoJoin is also highly efficient, saving up to 86% time per training epoch and 90% training data over other state-of-the-art techniques. The core idea of AutoJoin is to use a decoder attachment to the original regression model creating a denoising autoencoder within the architecture. This architecture allows the tasks `maneuvering' and `denoising sensor input' to be jointly learnt and reinforce each other's performance.

Figures (4)

• Figure 1: The pipeline of AutoJoin. The clean data comes from real-world driving datasets containing front-facing camera images and their corresponding steering angles. The perturbed data is prepared using various base perturbations and their sampled intensity levels. The steering angle prediction model and denoising autoencoder are jointly learnt to reinforce each other's performance. The resulting predictions and reconstructed images are used to compute the loss for adjusting perturbation intensity levels during learning.
• Figure 2: Sample perturbed images. Single is perturbed by only one of the perturbations outlined in Sec. \ref{['sec:perturbation']} Unseen contains corruptions from ImageNet-C hendrycks2019benchmarking. Single and Unseen are selected with intensities from 0.5 to 1.0 to highlight the perturbation. Combined images have multiple perturbations overlaid, e.g., Set 2 includes G, noise, and blur as the most prominent perturbations.
• Figure 3: Sample images used during training within the SullyChen chen2017sully dataset. The clean image and its perturbed variants using all base perturbations are shown. The intensity level of the images is 0.5, half of the max intensity.
• Figure 4: Sample images with perturbations for the six test categories. A column represents a single image that is either clean or perturbed by one of the five perturbation categories. Single images are perturbed by only one of the perturbations outlined in Sec. \ref{['sec:perturbation']} Unseen images contain corruptions from ImageNet-C hendrycks2019benchmarking. Combined images have multiple perturbations overlaid, for example, the second column image has G, noise, and blur as the most prominent perturbations. FGSM and PGD adversarial examples are also shown at increasing intensities. The visual differences are not salient due to the preservation of gradient-based adversarial attack potency.