In response to the rapidly evolving nature of adversarial attacks against visual classifiers on a monthly basis, numerous defenses have been proposed to generalize against as many known attacks as possible. However, designing a defense method that generalizes to all types of attacks is not realistic because the environment in which defense systems operate is dynamic and comprises various unique attacks that emerge as time goes on. A well-matched approach to the dynamic environment lies in a defense system that continuously collects adversarial data online to quickly improve itself. Therefore, we put forward a practical defense deployment against a challenging threat model and propose, for the first time, the Continual Adversarial Defense (CAD) framework that adapts to attack sequences under four principles: (1) continual adaptation to new attacks without catastrophic forgetting, (2) few-shot adaptation, (3) memory-efficient adaptation, and (4) high accuracy on both clean and adversarial data. We explore and integrate cutting-edge continual learning, few-shot learning, and ensemble learning techniques to qualify the principles. Extensive experiments validate the effectiveness of our approach against multiple stages of modern adversarial attacks and demonstrate significant improvements over numerous baseline methods. In particular, CAD is capable of quickly adapting with minimal budget and a low cost of defense failure while maintaining good performance against previous attacks. Our research sheds light on a brand-new paradigm for continual defense adaptation against dynamic and evolving attacks.

翻译：针对针对视觉分类器的对抗攻击每月快速演变的特性，已有大量防御方法被提出，旨在泛化应对尽可能多的已知攻击。然而，设计一种能泛化至所有攻击类型的防御方法并不现实，因为防御系统所处的环境是动态的，且包含随时间推移不断出现的各种独特攻击。一种与动态环境相匹配的方法在于构建一个持续在线收集对抗数据以快速自我改进的防御系统。因此，我们提出了一种针对挑战性威胁模型的实用防御部署方案，并首次提出了持续对抗防御框架，该框架遵循四项原则适应攻击序列：(1) 持续适应新攻击而不发生灾难性遗忘，(2) 小样本适应，(3) 内存高效适应，(4) 在干净数据和对抗数据上均保持高准确率。我们探索并整合了前沿的持续学习、小样本学习和集成学习技术以实现这些原则。大量实验验证了我们方法在面对现代对抗攻击多个阶段时的有效性，并证明其相较于众多基线方法有显著提升。特别地，CAD能够以最小预算和低防御失败成本快速适应，同时保持对先前攻击的良好性能。我们的研究为针对动态演变攻击的持续防御适应开辟了全新范式。