ARMOURED: Adversarially Robust MOdels using Unlabeled data by REgularizing Diversity

Adversarial attacks pose a major challenge for modern deep neural networks. Recent advancements show that adversarially robust generalization requires a huge amount of labeled data for training. If annotation becomes a burden, can unlabeled data help bridge the gap? In this paper, we propose ARMOURED, an adversarially robust training method based on semi-supervised learning that consists of two components. The first component applies multi-view learning to simultaneously optimize multiple independent networks and utilizes unlabeled data to enforce labeling consistency. The second component reduces adversarial transferability among the networks via diversity regularizers inspired by determinantal point processes and entropy maximization. Experimental results show that under small perturbation budgets, ARMOURED is robust against strong adaptive adversaries. Notably, ARMOURED does not rely on generating adversarial samples during training. When used in combination with adversarial training, ARMOURED achieves state-of-the-art robustness against ℓ∞ and ℓ2 attacks for a range of perturbation budgets, while maintaining high accuracy on clean samples. We demonstrate the robustness of ARMOURED on CIFAR-10 and SVHN datasets against state-of-the-art benchmarks in adversarial robust training.