RAMP: Boosting Adversarial Robustness Against Multiple $l_p$ Perturbations

There is considerable work on improving robustness against adversarial attacks bounded by a single $l_p$ norm using adversarial training (AT). However, the multiple-norm robustness (union accuracy) of AT models is still low. We observe that simultaneously obtaining good union and clean accuracy is hard since there are tradeoffs between robustness against multiple $l_p$ perturbations, and accuracy/robustness/efficiency. By analyzing the tradeoffs from the lens of distribution shifts, we identify the key tradeoff pair among $l_p$ attacks to boost efficiency and design …

accuracy adversarial adversarial attacks adversarial training attacks boosting cs.lg good low multiple norm observe ramp robustness training union work