In this work, we leverage visual prompting (VP) to improve adversarial robustness of a fixed, pre-trained model at testing time. Compared to conventional adversarial defenses, VP allows us to design universal (i.e., data-agnostic) input prompting templates, which have plug-and-play capabilities at testing time to achieve desired model performance without introducing much computation overhead. Although VP has been successfully applied to improving model generalization, it remains elusive whether and how it can be used to defend against adversarial attacks. We investigate this problem and show that the vanilla VP approach is not effective in adversarial defense since a universal input prompt lacks the capacity for robust learning against sample-specific adversarial perturbations. To circumvent it, we propose a new VP method, termed Class-wise Adversarial Visual Prompting (C-AVP), to generate class-wise visual prompts so as to not only leverage the strengths of ensemble prompts but also optimize their interrelations to improve model robustness. Our experiments show that C-AVP outperforms the conventional VP method, with 2.1X standard accuracy gain and 2X robust accuracy gain. Compared to classical test-time defenses, C-AVP also yields a 42X inference time speedup.
翻译:在这项工作中,我们利用视觉提示(VP)来提高测试时间经过预先训练的固定模型的对抗性强度。与传统的对抗性防御相比,VP允许我们设计通用(即数据认知性)输入促进模板,这些模板在测试时间具有插座和播放能力,以便在不引入大量计算间接费用的情况下实现理想模型性能。虽然VP成功地应用于改进模型的概括化,但它是否以及如何用来防御对抗性攻击仍然难以捉摸。我们调查这一问题,并表明香草VP方法在对抗性防御方面不起作用,因为通用投入迅速缺乏针对特定样本的对抗性扰动进行有力学习的能力。为了绕过它,我们提议一种新的VP方法,即测试时具有插座和播放能力,在测试时不引入很多计算性间接费用。尽管VP成功地应用了模型来改进模型的普及性,但是它是否和如何用来防御对抗性攻击性攻击性攻击性攻击。我们进行的实验显示,香草VP方法在对抗性防御方面并不有效,因为通用输入时缺乏对特定VP方法进行有力的学习的能力。为了避免特定对抗性对抗性攻击性侵扰动。为了规避,为了规避,我们提出新的VP标准CX标准精确度测试2x的精确度,还原试验显示CAVVAVAVAVAVAVAVS获得,还原的精确度,还原的精确度也获得了。</s>