International Conference on Computer and Knowledge Engineering

Home / 13th International Conference on Computer and Knowledge Engineering

A large input-space-margin approach for adversarial training

Authors :

Reihaneh Nikouei¹ Mohammad Taheri²

1- Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran. 2- Department of Computer Science and Engineering, Shiraz University, Shiraz, Iran.

Keywords :

Adversarial attack،Large margin،Input space،Defense method

Abstract :

It is shown that machine learning models are vulnerable to adversarial attacks. Therefore, different defense methods such as adversarial training have been proposed to improve models’ robustness against these attacks. Some recent approaches proposed to structurally improve the robustness of the models. For example, large margin methods try to increase a margin, empty of instances, along decision boundaries that structurally increase necessary change to modify a training instance to an adversarial one. However, nonlinear large-margin models, maximize the margin in a high dimensional space although adversarial examples are generated with a little change in the original space. In this paper, a novel mixed approach is proposed, called LIM (Large Input Margin) to improve the robustness of the model by minimizing both structural and empirical risks. Specifically, both training and adversarial example generation are done based on a loss function to maximize the margin in the original feature space even in a non-linear model. The proposed method is evaluated with FGSM and PGD attacks on MNIST and CIFAR10 datasets. The experimental results show that LIM method outperforms the state-of-the-art defense methods significantly and improves adversarial robustness against FGSM and PGD attacks on both datasets.