Decentralized Adversarial Training over Graphs

TL;DR

Decentralized Adversarial Training over Graphs tackles robustness of multi-agent learning under worst-case perturbations by formulating $J(w)=\sum_k \pi_k J_k(w)$ with $J_k(w)=\mathbb{E}_{x_k,y_k}\{\max_{\|\delta\|_{p_k}\le \epsilon_k} Q_k(w;x_k+\delta,y_k)\}$. It introduces two fully decentralized schemes based on diffusion (ATC) and consensus, analyzes convergence in strongly-convex, convex, and non-convex settings using affine-Lipschitz gradient properties and the Moreau envelope, and demonstrates empirically that graph topology enhances robustness relative to centralized and non-cooperative baselines. Key results show linear convergence to a small neighborhood in strongly-convex cases, sublinear and $O(1/(\mu N))$ behavior in convex settings, and provable near-stationarity in non-convex regimes with an $O(1/(\mu N))$ rate and $O(\epsilon^2)$ error terms. Across simulations on MNIST and CIFAR-10, diffusion and consensus strategies consistently improve robustness against a range of attacks, with heterogeneous perturbation models further illustrating the benefits of distributed, graph-structured collaboration.

Abstract

The vulnerability of machine learning models to adversarial attacks has been attracting considerable attention in recent years. Most existing studies focus on the behavior of stand-alone single-agent learners. In comparison, this work studies adversarial training over graphs, where individual agents are subjected to perturbations of varied strength levels across space. It is expected that interactions by linked agents, and the heterogeneity of the attack models that are possible over the graph, can help enhance robustness in view of the coordination power of the group. Using a min-max formulation of distributed learning, we develop a decentralized adversarial training framework for multi-agent systems. Specifically, we devise two decentralized adversarial training algorithms by relying on two popular decentralized learning strategies--diffusion and consensus. We analyze the convergence properties of the proposed framework for strongly-convex, convex, and non-convex environments, and illustrate the enhanced robustness to adversarial attacks.

Figures (9)

• Figure 1: The randomly generated graph structures used in the experiments. (a) Graph for convex scenario (MNIST and CIFAR10). (b) Graph for non-convex scenario (MNIST). (c) Graph for non-convex scenario (CIFAR10). The process of generating the graph structures consists of the following two steps: (1) For a graph with $K$ nodes, we randomly generate an adjacency matrix $D$ that represents a connected graph. Specifically, for any two nodes $\ell$ and $k$ with coordinates drawn from a uniform distribution, an edge is formed between them if their mean squared distance is smaller than a predefined threshold (e.g., 0.3), and we set $D_{\ell k} = D_{k \ell} = 1$. We repeat this process until a connected graph is generated. The connectivity of the graph is verified by the Laplacian matrix: if the second smallest eigenvalue of the Laplacian matrix is non-zero, then the graph is connected. (2) Given the adjacency matrix D, we generate the weights $a_{\ell k}$ between any two nodes $\ell$ and $k$ using the Metropolis rule from sayed2014adaptation.
• Figure 2: Convergence plots for the two datasets using the logistic loss. The legends show the decentralized strategy used in the training phase. (a) The evolution of the average classification error across all agents over $\ell_2$ adversarial examples bounded by $\epsilon_k = 4$ during training for MNIST. (b)--(d) follow a similar logic but for different norms and datasets.
• Figure 3: Robustness plots for the two datasets in convex environments. (a) Average classification error over the graph versus perturbation size for MNIST to $\ell_2$ attacks. The legends demonstrate the perturbation bound used in the training phase and the attack method in the test phase. For instance, $\epsilon = 0$ (FGM) corresponds to robustness of the clean network to FGM attack. Also, the title of the plot shows the decentralized strategy used in the training phase. (b)--(h) follow the similar logic but for different norms, datasets and decentralized strategies.
• Figure 4: Visualization of the original and adversarial samples. The first row consists of 10 random original samples with the titles representing their true classes. The second row shows the adversarial examples generated by DeepFool and applied to a graph trained by the standard nonrobust algorithm. The third row shows the results obtained by the adversarial diffusion algorithm. The titles are the predictions by the corresponding models. The same construction is repeated in the last two rows using FGM. If the prediction of an image is wrong, the title is shown in red color. It is seen that the adversarial algorithm fails less frequently.
• Figure 5: Convergence plots for the two datasets in non-convex environments. The legends show the strategy and whether the results correspond to training or test data used in the training phase. For example, a label such as "Train-consensus" represents the evolution of the training error when using the consensus strategy. (a) The evolution of the average classification error across all agents over $\ell_2$ adversarial examples bounded by $\epsilon_k = 2$ during training for MNIST. (b)--(d) follow a similar logic but for different norms and datasets.

Theorems & Definitions (27)

• Lemma 1
• Theorem 1
• Lemma 2
• Theorem 2
• Corollary 1
• Lemma 3
• Lemma 4
• Lemma 5
• Theorem 3
• Lemma 6