RAMP: Boosting Adversarial Robustness Against Multiple $l_p$ Perturbations for Universal Robustness

• Analysis of time per epoch: We present additional results demonstrating the fact that RAMP is more expensive than E-AT and less expensive than MAX. These results, recorded in seconds per epoch, were obtained using a single A100 GPU. RAMP consistently supports that fact in all experiments.

• The trade-off between robustness and accuracy:

It is possible to use RAMP to obtain an accuracy close to the one obtained by E-AT and a better union accuracy by setting a small $\lambda$ value. The clean accuracy drops because our main goal is to improve union accuracy. To improve the clean accuracy of the obtained model, we can set a smaller $\lambda$ value (as shown in Figure 4(a) (b)). For instance, in Figure 4(b), when $\lambda=1$, RAMP has a clean accuracy of 81.9% and union accuracy of 44.4%, compared with E-AT's 82.2% and 42.4%. Thus, one can usually achieve an accuracy close to E-AT and a better robustness by setting a relatively small $\lambda$ value.

Further, we show as follows that RAMP obtains a better robustness and accuracy tradeoff by generalizing better to common corruptions and other unseen adversaries, and the overall gain in robustness is more than the drop in accuracy. Compared with SOTA common corruption model [2] and other pretrained $l_p$ models on wideresnet-28-10 experiment training from scratch on CIFAR-10, RAMP shows the best tradeoff between robustness and accuracy against various kinds of perturbations and corruptions.

For common corruptions, RAMP achieves a 4% improvement compared to E-AT and MAX, averaged across five severity levels and all common corruptions.

For other attack types, such as $l_0$ and other unseen adversaries, RAMP shows the best average and union accuracy, with a 4% improvement over E-AT and a 2% improvement over MAX.

For Resnet-18 training from scratch experiment on CIFAR-10, we also show RAMP outperforms by 0.5% on common corruptions and 7% on union accuracy against unseen adversaries compared with E-AT.

These results highlight that RAMP effectively enhances model robustness across diverse adversarial scenarios and attains a better robustness/accuracy tradeoff evaluated on various kinds of perturbations and corruptions.

[1] Adversarial Robustness against Multiple and Single lp-threat Models via Quick Fine-Tuning of Robust Classifiers.

[2] A Winning Hand: Compressing Deep Networks Can Improve Out-Of-Distribution Robustness.

I thank the authors for their response.

The answer to the first question is clear, thanks to the additional results provided. I strongly encourage you to include these results in the next version of the paper.

The response to the second question is interesting. Noting that 'RAMP obtains a better robustness and accuracy tradeoff by generalizing better to common corruptions and other unseen adversaries' is certainly another valuable contribution. Additionally, I appreciate your emphasis on the importance of the $\lambda$ value in achieving the desired accuracy-robustness trade-off. However, I am somewhat concerned that $\lambda$ may need to be fine-tuned to reach the desired trade-off, as we lack clear evidence that the union accuracy will decrease as minimally as shown in Figure 4 when moving to lower $\lambda$ values. Indeed, that figure refers to only one model, and we have no data on the impact of $\lambda$ when training other models. Fine-tuning can require a lot of computational time, since you shown that training with RAMP may require more than twice the time required by E-AT. Moreover, why did you not consistently choose a smaller $\lambda$ value, even when training from scratch (you set $\lambda=5$ in the paper), to obtain accuracy comparable to E-AT while consistently achieving higher robustness?

To sum up, your analysis has improved my opinion of your work, but there is insufficient evidence regarding the influence of the $\lambda$ value on clean and union accuracy across multiple models to say that the accuracy-robustness trade-off is properly addressed.

Thanks for the quick response. The numbers are different because we regenerated both E-AT (we trained them again) and RAMP results testing on all testing data points instead of the 1000 points in the paper, as suggested by Reviewer jXrr (see our response to Reviewer jXrr).

We thank the reviewer for their detailed reply. We will include the time cost analysis in the next version of the paper. Also, here we provide more results on $\lambda$ value experiments. RAMP can achieve a better robustness-accuracy tradeoff compared with E-AT by choosing consistent $\lambda$ values for multiple models. Here we set $\lambda=0.5$ for robust fine-tuning. Also, we are running from scratch experiments and will report as soon as we have the results.

• Novelty in the algorithm: Firstly, $p_r$ represents the predictions of $l_r$ adversarial examples, not the probability of the clean input. Our logit pairing method differs from TRADES as we only regularize the logits on the correctly predicted $l_r$ adversarial example subset, which TRADES does not consider. This approach enhances union accuracy by aligning the logit distributions of $l_r$ and $l_q$ attacks on the correctly predicted $l_r$ subset. Additionally, in Appendix Table 18, we demonstrate that combining RAMP with TRADES loss improves union accuracy to 45.2% (up from 44.6%) in the WideResNet-28-10 experiment training from scratch. Secondly, Our gradient projection method is more generalizable than traditional methods mitigating the trade-off between accuracy and robustness, such as TRADES [1], MART [2], and HAT [3]. Previous works limit to a certain type of perturbation for better robustness-accuracy tradeoff. However, our gradient projection method is effective for both single (Figures 2 and 3) and multiple perturbations/corruptions (Table 2 and 3, also see in our rebuttal to Reviewer Qhq5).

• Generality of the algorithm: Training for multiple norm robustness allows generalization beyond the threat model used during training [1]. Our method achieves superior average and union accuracy compared to the SOTA common corruption model [5], $l_p$ pretrained models, E-AT, MAX across other perturbations beyond multiple-norm perturbations. Specifically, it obtains good accuracy against common corruptions with five severity levels and shows the best average and union accuracy performance against multiple unseen adversaries. Using WideResNet 28-10 models, RAMP achieves a 4% improvement over E-AT and MAX on common corruptions, averaged across five severity levels. For other attack types, such as $l_0$ and unseen adversaries, RAMP shows the best average and union accuracy, with a 4% improvement over E-AT and 2% over MAX. These results highlight that RAMP effectively enhances model robustness across diverse adversarial scenarios.

• Novelty and precision of the theorem:

The novelty of Theorem 4.5 lies in its consideration of the changing adversarial example distribution $D_{a^t}$ at each time step $t$ to get the convergence proof. To sum over $t=0,\dots,T-1$, we perform some relaxations to obtain the summation for changing distrbutions. Also, for Equation 14, we bound the left-hand side with the maximum $\|\widehat{g_{`Aggr`}}(\widehat{\theta_{`Aggr`}})-\nabla L_{D_{a^t}}(\widehat{\theta_{`Aggr`}})\|^2$ one can get during the optimization steps. Theorem 4.5 links the convergence of the aggregation rule with the delta error analysis in Theorem 4.6. Specifically, Theorem 4.6 demonstrates that a smaller delta error results in better convergence with a tighter bound.

Further, we have carefully checked the theorem and Theorem 4.6 will be updated as follows:

$\Delta^2_{AT} -\Delta^2_{GP} \approx \beta (2 - \beta) E_{\widehat{D_{a^t}}} \|g_{a} -\widehat{g_{a}} \|^2_\pi - \beta^2 \bar\tau^2 \|g_{a} - \widehat{g_{n}}\|^2_\pi$

When $\beta = 0$, the difference between two aggregation errors becomes 0. Further, we estimate the actual values of terms $E_{\widehat{D_{a^t}}} \|g_{a} - \widehat{g_{a}} \|^2_\pi$ (variance), $\|g_{a} -\widehat{g_{n}}\|^2_\pi$ (bias), and $\bar\tau$ using the estimation methods in [4]. We show across different epochs, the delta error difference is always positive, largely because of the small value of $\bar\tau$. We plot the changing of these terms on the ResNet18 experiment with the table and figure in the rebuttal pdf. The order of difference is usually smaller than 1e-8 and approaches the order of 1e-12 in the end.

• The evaluation metric in Figure 2. We want to show our methods can show a better robustness and accuracy tradeoff for both PGD and AutoAttack for a more comprehensive evaluation. As shown in Figure 3, gradient projection also shows a better robustness accuracy tradeoff evaluated by AutoAttack.

• The difference between MAX and RAMP with lambda=0. RAMP with $\lambda = 0$ and not considering the key tradeoff pair will become the same as MAX. Therefore, MAX is a special case of RAMP.

[1] https://arxiv.org/abs/1901.08573

[2] https://openreview.net/forum?id=rklOg6EFwS

[3] https://openreview.net/forum?id=Azh9QBQ4tR7

[4] https://arxiv.org/abs/2302.05049

[5] https://arxiv.org/abs/2106.09129

• The essential meaning of studying this problem:

a) In real-world settings, adversarial attacks often involve multiple types of perturbations, necessitating models to be robust against $l_1$, $l_2$, and $l_\infty$ attacks. For instance, in image recognition: $l_1$ attacks modify key pixels to bypass facial recognition; $l_2$ attacks apply slight blur or noise to fool object detection; $l_\infty$ attacks adjust color balance or contrast to cause misclassification. These examples highlight the need for comprehensive adversarial training. Robustness against multiple $l_p$ perturbations is critical, as it mirrors real-world scenarios where adversaries use a blend of techniques, ensuring the security and reliability of machine learning systems.

b) Training for multiple norm robustness allows generalization beyond the threat model used during training [1]. Our method achieves superior average and union accuracy compared to the SOTA common corruption model [7], $l_p$ pretrained models, E-AT, and MAX across other perturbations beyond multiple-norm perturbations. Specifically, it obtains good accuracy against common corruptions with five severity levels and shows the best average and union accuracy performance against multiple unseen adversaries. Using WideResNet 28-10 models, we observe the following results:

For common corruptions, RAMP achieves a 4% improvement compared to E-AT and MAX, averaged across five severity levels and all common corruptions.

For L0 and other unseen adversaries, RAMP shows the best average and union accuracy, with a 4% improvement over E-AT and a 2% improvement over MAX.

These results highlight the effectiveness of our method in enhancing model robustness across diverse adversarial scenarios.

• Why are distributions distinct? The distributions are distinct because these norms measure distances differently, resulting in different adversarial example distributions. Successful defenses are often tailored to specific perturbation types, providing empirical or certifiable robustness guarantees for those types alone. These defenses typically fail to offer protection against other attacks [1]. Moreover, enhancing robustness against one perturbation type can sometimes increase vulnerability to others [4,5], which further confirms the distinction between multiple-norm distributions.

• What constitutes a reasonable radius setting? The values we are using are standard in the previous literature [1,2,3]; the epsilon values are chosen so that input images can be adversarially perturbed to be misclassified but are “close enough” to the original example to be imperceptible to the human eye [3]. Also, in Table 2 and Appendix Tables 5-16, we show RAMP works not only for the standard choice of epsilons but varying values of epsilons. The reasonable radius setting for various norms should make each pair of two perturbations not include one another. For given epsilon values of $\epsilon_1$, $\epsilon_2$, $\epsilon_\infty$ and $d$ (dimension of the inputs), we need the following relationships to achieve this: $0 \leq \epsilon_1 \leq d \cdot \epsilon_\infty$ $0 \leq \epsilon_2 \leq \sqrt{d} \cdot \epsilon_\infty$ $\frac{\epsilon_1}{\sqrt{d}} \leq \epsilon_2 \leq \epsilon_1$

We check the standard choices of CIFAR10 $\epsilon_1=12, \epsilon_2=0.5, \epsilon_\infty=\frac{8}{255}, d = 3 \cdot 32^2$ and Imagenet $\epsilon_1=255, \epsilon_2=2, \epsilon_\infty=\frac{4}{255}, d = 3 \cdot 224^2$. For CIFAR10, we have $0 \leq 12 \leq 3072\cdot\frac{8}{255}, 0 \leq 0.5 \leq \sqrt{3072}\cdot\frac{8}{255}, \frac{12}{\sqrt{3072}} \leq 0.5 \leq 12$. For Imagenet, we have $0 \leq 255 \leq 150528\cdot\frac{4}{255}, 0 \leq 2 \leq \sqrt{150528}\cdot\frac{4}{255}, \frac{255}{\sqrt{150528}} \leq 2 \leq 255$. Both hold so our choices make three perturbations not include one another. However, the key tradeoff pair always exists. The two perturbations with the largest volumes refer to the strongest attack as the attacker has more search area.

[1] https://arxiv.org/abs/2105.12508

[2] https://arxiv.org/abs/1904.13000

[3] https://arxiv.org/abs/1909.04068

[4] https://openreview.net/forum?id=BJfvknCqFQ

[5] https://arxiv.org/abs/1805.09190

[6] https://arxiv.org/abs/1903.12261

[7] https://arxiv.org/abs/2106.09129

I thank authors for their detailed response.

"In real-world settings, adversarial attacks often involve multiple types of perturbations, necessitating models to be robust against $\ell_1$, $\ell_2$, and $\ell_\infty$ attacks."
There are so many vector norms and matrix norms, why $\ell_1$, $\ell_2$, and $\ell_\infty$ vector norms are important in real-world adversarial attacks? While this work combines previously established norm-based attacks, it appears to be an incremental advancement rather than a fundamental exploration. The crucial question remains unanswered: What intrinsic properties of these three norms make them more suitable for mixture compared to other potential norms? A deeper investigation into this fundamental issue could provide valuable insights and potentially lead to more robust defense mechanisms.

"The distributions are distinct because these norms measure distances differently"
Given that these norms can be bounded by one another, I believe it is more accurate to characterize their relationship as ''correlated'' rather than ''distinct''. Further exploration of this correlation could yield valuable insights.

"$\epsilon_1$, $\epsilon_2$, $\epsilon_\infty$ in experiments"
While the corner cases (or extremal spaces) for different norms are indeed distinct, a critical question remains: What justifies the focus on these three specific norms ($\ell_1$, $\ell_2$, and $\ell_\infty$) rather than exploring corner cases for other norms?

All in all, while this work contributes to the field, it appears to be an incremental advancement. It would be better to explore the above questions. I sit on the fence for this work.

We thank the reviewer for the detailed reply and here we provide further justifications on why $l_1$, $l_2$, $l_\infty$ attacks are important for real-world attacks.

1. We would like to emphasize that the use of $l_1$, $l_2$, and $l_\infty$ norms has been extensively adopted in adversarial learning research, primarily as a foundational approach to enhance robustness against well-defined and mathematically tractable threat models [1,2,3]. While these attack models may appear straightforward, the challenge of developing models that are genuinely robust against them at the same time remains a significant and unresolved issue. The critical importance of these simpler attack paradigms is further underscored by their central role in the most widely used adversarial toolkits, such as Foolbox [4], and in benchmarks like RobustBench [5], which predominantly focus on evaluating robustness against these norm-based attacks. Further, many physical real-world adversarial attacks [7,8,9,10] are based on these norms.

2. RAMP shows a better ability to generalize to more complex norms. For example, in the case of the Wasserstein adversarial attack [11], RAMP outperforms E-AT and MAX by 1-3% across different perturbation sizes, as demonstrated in the table below. Besides, we are happy to try other norms suggested by the reviewer if there are any.

3. Techniques for enhancing $l_1$, $l_2$, and $l_\infty$ robustness can be extended to address perturbation sets that are not easily defined mathematically, such as image corruptions or adversarial lighting variations [6]. Our new results on generalizing to other perturbations and corruptions (see tables in response to reviewers 6TV5, 3Hj9, and Qhq5) confirm that point with the best robustness-accuracy tradeoff among $l_p$ pretrained, SOTA image corruption, E-AT, and MAX models.

In conclusion, RAMP represents an advancement in enhancing union adversarial robustness and the robustness-accuracy tradeoff across norms/perturbations/corruptions, while maintaining a relatively good computational efficiency.

[1] Explaining and harnessing adversarial examples.

[2] Towards evaluating the robustness of neural networks.

[3] Towards Deep Learning Models Resistant to Adversarial Attacks.

[4] https://github.com/bethgelab/foolbox/tree/master

[5] https://robustbench.github.io/

[6] Learning perturbation sets for robust machine learning.

[7] Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition.

[8] Robust Physical-World Attacks on Deep Learning Visual Classification.

[9] Physical Adversarial Examples for Object Detectors.

[10] Synthesizing Robust Adversarial Examples.

[11] Stronger and Faster Wasserstein Adversarial Attacks.

• The one main weakness is that Table 1 must be re-generated using all the test set points in CIFAR-10, not just 1000.

Thank you for the valuable suggestion. We have re-evaluated both RAMP and E-AT using the entire CIFAR-10 dataset. The results demonstrate that RAMP consistently enhances union accuracy compared to E-AT (up to 2.2%), corroborating the trend observed in our initial findings. We will update these numbers in the revised version of the paper.

• Presentation-wise, Figure 1 is very confusing; there is no need to plot the t-SNEs of the image when one wants to show classification labels simply. Please consider re-plotting this figure (with a line plot, histogram, etc.). The writing, overall, is ok, but could also be improved: for example, lines 162-167, are approximately repeated from earlier on in the paper.

Thanks for the suggestions on presentation and writing. We replot Figure 1 using histograms on accuracy (included in the rebuttal pdf), using CIFAR-10 training data: the x-axis represents the robustness against different attacks and the y-axis is the accuracy. The figure shows that after 1 epoch of finetuning on $l_1$ examples or performing EAT, we lose much $l_\infty$ robustness since blue/yellow histograms are much lower than the red histogram under the Linf category. In comparison, RAMP preserves both $l_\infty$ and union robustness more effectively compared to E-AT and fine-tuning on $l_1$ examples; the green histogram is higher than the red/yellow histogram under Linf and Union categories. Specifically, RAMP maintains 14%, and 28% more union robustness than E-AT and $l_1$ fine-tuning. Besides, we will make writing more concise in the updated version.