

Abstract

Meta-learning enables a model to learn from very limited data to undertake a new task. In this paper, we study the general meta-learning with adversarial samples. We present a meta-learning algorithm, ADML (ADversarial Meta-Learner), which leverages clean and adversarial samples to optimize the initialization of a learning model in an adversarial manner. ADML leads to the following desirable properties: 1) it turns out to be very effective even in the cases with only clean samples; 2) it is robust to adversarial samples, i.e., unlike other meta-learning algorithms, it only leads to a minor performance degradation when there are adversarial samples; 3) it sheds light on tackling the cases with limited and even contaminated samples. It has been shown by extensive experimental results that ADML outperforms several representative meta-learning algorithms in the cases involving adversarial samples generated by different attack mechanisms, on two widely-used image datasets, MiniImageNet and CIFAR100, in terms of both accuracy and robustness.

1. INTRODUCTION

Deep learning has made tremendous successes and emerged as a de facto approach in many application domains, such as computer vision and natural language processing, which, however, depends heavily on huge amounts of labeled training data. The goal of meta-learning is to enable a model (especially a Deep Neural Network (DNN)) to learn from only a small number of data samples to undertake a new task, which is critically important to machine intelligence but turns out to be very challenging. Currently, a common approach to learn is to train a model to undertake a task from scratch without making use of any previous experience. Specifically, a model is initialized randomly and then updated slowly using gradient descent with a large number of training samples. This kind of time-consuming and data-hungry training process is quite different from the way how a human learns quickly from only a few samples and obviously cannot meet the requirement of meta-learning. Several methods (Finn et al. (2017); Vinyals et al. (2016); Snell et al. (2017); Sung et al. (2018) ) have been proposed to address meta-learning by fixing the above issue. For example, a well-known work (Finn et al. (2017) ) presents a novel meta-learning algorithm called MAML (Model-Agnostic Meta-Learning), which trains and optimizes the initialization of model parameters carefully such that it achieves the maximal performance on a new task after its parameters are updated through one or just a few gradient steps with a small amount of data. This method is claimed to be model-agnostic since it can be directly applied to any learning model that can be trained with gradient descent. Robustness is another major concern for machine intelligence, especially for the safety-critical applications, such as facial recognition, algorithmic trading and copyright control. It has been shown that such learning models can be easily fooled by adversarial manipulation to cause serious security threats (Zhao et al. ( 2018 2018))) are also vulnerable to adversarial samples, i.e., adversarial samples can lead to a significant performance degradation for meta-learning. To the best of our knowledge, existing works on meta-learning have not yet addressed adversarial samples, which, however, is the main focus of this paper. In this paper, we extend meta-learning to a whole new dimension by studying how to quickly train a model (especially a DNN) for a new task using a small dataset with both clean and adversarial samples. Since both meta-learning and adversarial learning have been studied recently, a straightforward solution is to simply combine MAML (Finn et al. ( 2017)) algorithm with adversarial training (e.g., Goodfellow et al. (2015) ). However, we show such an approach does not work well by our experimental results. We present a novel ADversarial (ADML), which utilizes antagonistic correlations between clean and adversarial samples to let the inner gradient update arm-wrestle with the meta-update to obtain a good and robust initialization of model parameters. Hence, "adversarial" in ADML refers to not only adversarial samples but also the way of updating the learning model. The design of ADML leads to several desirable properties. First, it turns out to be very effective even in the cases with only clean samples. Second, unlike other meta-learning algorithms, ADML is robust to adversarial samples since it only suffers from a minor performance degradation when encountering adversarial samples, and it outperforms several representative meta-learning algorithms (Finn et al. ( 2017 2019)) in such cases. In addition, ADML is agnostic to the attack mechanism, which is responsible for the adversarial samples generation. Most importantly, it opens up an interesting research direction and sheds light on dealing with the cases with limited and even contaminated samples, which are common in real life. We conducted a comprehensive empirical study for performance evaluation using two widely-used image datasets, MiniImageNet (Vinyals et al. ( 2016)) and CIFAR100 (Krizhevsky et al. ( 2009)). Experimental results well justify the effectiveness and superiority of ADML in terms of both accuracy and robustness.

2. RELATED WORK

Meta-Learning: Research on meta-learning has a long history, which can be traced back to some early works (Naik & Mammone (1992) ; Thrun & Pratt (1998)). Meta-learning, a standard methodology to tackle few-shot learning problems, has recently attracted extensive attention due to its important roles in achieving human-level intelligence. Several specialized models (Vinyals et al. ( 2016 



); Goldblum et al. (2020); Saadatpanah et al. (2019)), which, however, can be properly and effectively handled by conventional adversarial training and pre-processing defenses (Madry et al. (2017); Zhang et al. (2019); Samangouei et al. (2018)). Nonetheless, if the data is limited (e.g., face recognition from few images), the aforementioned pipelines, which require a large amount of training data, suffers from serious performance degradation. Although meta-learning based approaches show great potential on dealing with few-shot tasks, we show via experiments that existing meta-leaning algorithms (such as MAML (Finn et al. (2017)), Matching Networks (Vinyals et al. (2016)) and Relation Networks (Sung et al. (

); Vinyals et al. (2016); Sung et al. (2018); Bertinetto et al. (

); Koch et al. (2015); Snell et al. (2017); Sung et al. (2018)) have been proposed for meta-learning, particularly for few-shot classification, by comparing similarity among data samples. Specifically, Koch et al. (2015) leveraged a Siamese Networks to rank similarity between input samples and predict if two samples belong to the same class. In addition, Relation Networks (Sung et al. (2018)) was proposed to classify query images by computing relation scores, which can be extended to few-shot learning. Vinyals et al. (2016) presented a neural network model, Matching Networks, which learn an embedding function and use the cosine distance in an attention kernel to measure similarity. Another popular approach to meta-learning is to develop a meta-learner to optimize key hyperparameters (e.g., initialization) of the learning model. Specifically, Finn et al. (2017) presented a model-agnostic meta-learner, MAML, to optimize the initialization of a learning model with the objective of maximizing its performance on a new task after updating its parameters with a small number of samples. Several other methods (Andrychowicz et al. (2016); Ravi & Larochelle (2017); Santoro et al. (2016); Mishra et al. (2018)) utilized an additional neural network, such as LSTM, to serve as the meta-learner. A seminal work (Andrychowicz et al. (2016)) developed a meta-learner based on LSTMs and showed how the design of an optimization algorithm can be cast as a learning problem. Ravi & Larochelle (2017) proposed another LSTM-based meta-learner to learn a proper parameter update and a general initialization for the learning model. A recent work (Mishra et al. (2018)) presented a class of simple and generic meta-learners that use a novel combination of temporal convolutions and soft attention. Adversarial Learning: DNN models have been shown to be vulnerable to adversarial samples. Particularly, Szegedy et al. (2014) showed that they can cause a DNN to misclassify an image by applying a certain hardly perceptible perturbation, and moreover, the same perturbation can cause a different network (trained on a different subset of the dataset) to misclassify the same input. It has also been shown by Goodfellow et al. (2015) that injecting adversarial samples during training can increase the robustness of DNN models. Papernot et al. (2017) introduced the first practical demonstration of a black-box attack controlling a remotely hosted DNN without either the model

