Adversarial training (i.e., training on adversarially perturbed input data) is a well-studied method for making neural networks robust to potential adversarial attacks during inference. However, the improved robustness does not come for free but rather is accompanied by a decrease in overall model accuracy and performance. Recent work has shown that, in practical robot learning applications, the effects of adversarial training do not pose a fair trade-off but inflict a net loss when measured in holistic robot performance. This work revisits the robustness-accuracy trade-off in robot learning by systematically analyzing if recent advances in robust training methods and theory in conjunction with adversarial robot learning, are capable of making adversarial training suitable for real-world robot applications. We evaluate three different robot learning tasks ranging from autonomous driving in a high-fidelity environment amenable to sim-to-real deployment to mobile robot navigation and gesture recognition. Our results demonstrate that, while these techniques make incremental improvements on the trade-off on a relative scale, the negative impact on the nominal accuracy caused by adversarial training still outweighs the improved robustness by an order of magnitude. We conclude that although progress is happening, further advances in robust learning methods are necessary before they can benefit robot learning tasks in practice.

翻译：对抗训练（即在对抗扰动输入数据上训练）是一种经充分研究的使神经网络在推理时能抵御潜在对抗攻击的方法。然而，这种鲁棒性的提升并非毫无代价，而是伴随着模型整体准确率和性能的下降。近期研究表明，在实际机器人学习应用中，对抗训练的效果并非公平的权衡，而是当以整体机器人性能衡量时会造成净损失。本文通过系统分析最新鲁棒训练方法与理论结合对抗机器人学习是否能使对抗训练适用于真实世界机器人应用，重新审视了机器人学习中的鲁棒性与准确性权衡。我们评估了三个不同的机器人学习任务，涵盖从适用于模拟到实际部署的高保真环境中的自动驾驶、移动机器人导航到手势识别。结果表明，尽管这些技术在相对尺度上对权衡有所改进，但对抗训练对名义准确率的负面影响仍比所提升的鲁棒性高出一个数量级。我们得出结论，虽然进展正在发生，但鲁棒学习方法仍需进一步发展，才能在实践中真正惠及机器人学习任务。