Beyond $L_{p}$ Norms: Delving Deeper into Robustness to Physical Image Transformations

With the increasing adoption of deep learning in computer vision-based applications, it becomes critical to achieve robustness to real-world image transformations, such as geometric, photometric, and weather changes, even in the presence of an adversary. However, earlier work has focused on only a few transformations, such as image translation, rotation, or coloring. We close this gap by analyzing and improving robustness against twenty-four different physical transformations. First, we demonstrate that adversarial attacks based on each physical transformation significantly reduce the accuracy of deep neural networks. Next, we achieve robustness against these attacks based on adversarial training, where we show that single-step data augmentation significantly improves robustness against these attacks. We also demonstrate the generalization of robustness to these types of attacks, where robustness achieved against one attack also generalizes to some other attack vectors. Finally, we show that using an ensemble-based robust training approach, robustness against multiple attacks can be achieved simultaneously by a single network. In particular, our proposed method improves the aggregate robustness, against twenty-four different attacks, from 21.4% to 50.0% on the ImageNet dataset.