In many real-world applications of Machine Learning it is of paramount importance not only to provide accurate predictions, but also to ensure certain levels of robustness. Adversarial Training is a training procedure aiming at providing models that are robust to worst-case perturbations around predefined points. Unfortunately, one of the main issues in adversarial training is that robustness w.r.t. gradient-based attackers is always achieved at the cost of prediction accuracy. In this paper, a new algorithm, called Wasserstein Projected Gradient Descent (WPGD), for adversarial training is proposed. WPGD provides a simple way to obtain cost-sensitive robustness, resulting in a finer control of the robustness-accuracy trade-off. Moreover, WPGD solves an optimal transport problem on the output space of the network and it can efficiently discover directions where robustness is required, allowing to control the directional trade-off between accuracy and robustness. The proposed WPGD is validated in this work on image recognition tasks with different benchmark datasets and architectures. Moreover, real world-like datasets are often imbalanced: this paper shows that when dealing with such type of datasets, the performance of adversarial training are mainly affected in term of standard accuracy.

在机器学习的许多实际应用中，最重要的是不仅要提供准确的预测，而且要确保一定程度的鲁棒性。对抗训练是一种训练程序，旨在提供对预定义点周围的最坏情况摄动具有鲁棒性的模型。不幸的是，对抗训练中的主要问题之一是，基于梯度的攻击者的鲁棒性总是以预测准确性为代价的。在本文中，提出了一种用于对抗训练的新算法，称为Wasserstein投影梯度下降（WPGD）。WPGD提供了一种简单的方法来获得对成本敏感的鲁棒性，从而可以更好地控制鲁棒性与准确性之间的权衡。此外，WPGD解决了网络输出空间上的最佳传输问题，它可以有效地发现需要鲁棒性的方向，从而可以控制精度和鲁棒性之间的方向权衡。在具有不同基准数据集和体系结构的图像识别任务中，对本文提出的WPGD进行了验证。此外，现实世界中的数据集通常不平衡：本文表明，在处理此类数据集时，对抗性训练的性能主要受到标准准确性的影响。