Defense without Forgetting: Continual Adversarial Defense with Anisotropic & Isotropic Pseudo Replay

TL;DR

The paper addresses continual adversarial defense where attacks arrive sequentially, risking catastrophic forgetting of previous defenses. It introduces Anisotropic & Isotropic Replay (AIR), a memory-free baseline that combines isotropic replay for neighborhood consistency, anisotropic mix-distill for richer semantics, and a regularizer to balance plasticity and stability, all within a self-distillation pseudo-replay framework. The approach yields an end-to-end loss that unifies adversarial training with pseudo-replay losses, achieving robustness across attack sequences and often approaching or exceeding Joint Training without data reuse. Empirical evaluation on MNIST, CIFAR-10, and CIFAR-100 demonstrates AIR's ability to mitigate forgetting, align feature distributions across attacks, and provide practical continual defense under varying attack budgets and sequences.

Abstract

Deep neural networks have demonstrated susceptibility to adversarial attacks. Adversarial defense techniques often focus on one-shot setting to maintain robustness against attack. However, new attacks can emerge in sequences in real-world deployment scenarios. As a result, it is crucial for a defense model to constantly adapt to new attacks, but the adaptation process can lead to catastrophic forgetting of previously defended against attacks. In this paper, we discuss for the first time the concept of continual adversarial defense under a sequence of attacks, and propose a lifelong defense baseline called Anisotropic \& Isotropic Replay (AIR), which offers three advantages: (1) Isotropic replay ensures model consistency in the neighborhood distribution of new data, indirectly aligning the output preference between old and new tasks. (2) Anisotropic replay enables the model to learn a compromise data manifold with fresh mixed semantics for further replay constraints and potential future attacks. (3) A straightforward regularizer mitigates the 'plasticity-stability' trade-off by aligning model output between new and old tasks. Experiment results demonstrate that AIR can approximate or even exceed the empirical performance upper bounds achieved by Joint Training.

Figures (6)

• Figure 1: The difference between one-shot defense and continual defense. The model diagram on the left presents the one-shot defense studies an isolated Min-Max process and implicitly assumes the potential attack is static. For a continual attack sequence, the indispensable adaptation process introduces additional challenge of catastrophic forgetting of previous attacks. Therefore, a deployable adversarial defense should be a life-one learning task rather than a one-shot task. We propose a self-distillation pseudo-replay baseline to alleviate the catastrophic forgetting against attack sequence, indicated by the model diagram on the right.
• Figure 2: Catastrophic forgetting verification of one-shot defense model in continual defense scenario. The horizontal axis can be considered as a timestamp, where time '1' represents the model adapting to TASK 1, and time '2' represents the sequential adaptation to all attack tasks in the sequence. TASK 1 and TASK 2 depend on the specific sequence. For example, for the sub-first figure, TASK 1 and TASK 2 refer to None Attack and FGSM Attack, respectively.
• Figure 3: Framework of our AIR. The upper module (in yellow block) consists of the anisotropic replay module and isotropic replay module, aiming to maintain the memory of old tasks. The lower module (in red block) is the vanilla adversarial training with R-Drop for new attacks. The three main loss functions are highlighted in the gray circular box.
• Figure 4: Achievement of chain consistency of our AIR in end-to-end paradigm. Models with $*$ superscripts (such as $f^{*}_{t}$) are additionally trained independently of the main pipeline.
• Figure 5: Ablation analysis of the 'from hard to easy' attacks on CIFAR10. We reported its results after learning the whole attack sequence.