Training GANs (including cGANs), however, are known to be often hard and highly unstable [46]. Numerous techniques have thus been proposed to tackle the issue from different angles, e.g., improving architectures [32, 56, 7], losses and regularizers [16, 38, 20] and other training heuristics [46, 51, 8].

Further, thetrainingprocedure (optimizer, numberoftrainingsteps, learningratedecayschedule, etc.) is notstandardized.

Given a text description, we immediately imagine an overall visual impression using this prior and, based on this, we draw a picture by progressively adding more andmore details.

While many techniques for detecting these attacks have been proposed, theyareeasily bypassed when theadversary hasfullknowledge of the detection mechanism and adapts the attack strategy accordingly. In this paper,we adopt anovel perspectiveand regard the omnipresence of adversarial perturbations asastrength rather thanaweakness.

Deep networks achieve impressive accuracy and wide adoption in computer vision [17], speech recognition [14], and natural language processing [21].

Are Labels Requiredfor Improving Adversarial Robustness?

Neural Information Processing Systems http://nips.cc/

Adversarial training [10, 16, 18], which injects adversarially perturbed dataintotraining data,isapromising approach. Many other heuristics have been developed to make neural networks insensitive against small perturbations on inputs.

The notion ofmargin,minimum distance toadecision boundary,has served as the foundation of several theoretically profound and empirically successful results for both classification and regression tasks.

Wethen show how adversarialtraining can defend against such attacks by preventing the model from learningtrends specific to individual parties data, thereby also guaranteeing party-level membershipprivacy.