In response to the rapidly evolving nature of adversarial attacks against visual classifiers on a monthly basis, numerous defenses have been proposed to generalize against as many known attacks as possible. However, designing a defense method that generalizes to all types of attacks is not realistic because the environment in which defense systems operate is dynamic and comprises various unique attacks that emerge as time goes on. The defense system must gather online few-shot defense feedback to promptly enhance itself, leveraging efficient memory utilization. Therefore, we propose the first continual adversarial defense (CAD) framework that adapts to any attacks in a dynamic scenario, where various attacks emerge stage by stage. In practice, CAD is modeled under four principles: (1) continual adaptation to new attacks without catastrophic forgetting, (2) few-shot adaptation, (3) memory-efficient adaptation, and (4) high accuracy on both clean and adversarial images. We explore and integrate cutting-edge continual learning, few-shot learning, and ensemble learning techniques to qualify the principles. Experiments conducted on CIFAR-10 and ImageNet-100 validate the effectiveness of our approach against multiple stages of modern adversarial attacks and demonstrate significant improvements over numerous baseline methods. In particular, CAD is capable of quickly adapting with minimal feedback and a low cost of defense failure, while maintaining good performance against previous attacks. Our research sheds light on a brand-new paradigm for continual defense adaptation against dynamic and evolving attacks.

翻译：针对视觉分类器每月遭遇快速演变的对抗性攻击，已有众多防御方法试图泛化应对尽可能多的已知攻击。然而，设计一种能泛化所有攻击类型的防御方法并不现实，因为防御系统运行的环境具有动态性，且随时间推移会涌现出各种独特的攻击。防御系统必须通过高效利用内存，收集在线小样本防御反馈以快速自我提升。为此，我们首次提出持续对抗防御（CAD）框架，该框架可在不同攻击分阶段涌现的动态场景中适应任意攻击。实践中，CAD遵循四项原则构建：(1) 持续适应新攻击而不发生灾难性遗忘，(2) 小样本适应，(3) 内存高效适应，以及(4) 在干净图像与对抗图像上均保持高准确率。我们探索并整合了持续学习、小样本学习与集成学习的前沿技术以实现这些原则。在CIFAR-10和ImageNet-100上的实验验证了该方法应对多阶段现代对抗攻击的有效性，并表明其相较于多种基线方法具有显著优势。特别地，CAD能够以极少的反馈和较低的防御失败代价快速适应，同时保持对先前攻击的优异性能。本研究揭示了针对动态演化攻击实现持续防御适应的全新范式。