Adversarial Training: The Core Defense with Real Cost Trade-offs

How Adversarial Training Works

Adversarial training augments training data with adversarial examples—inputs specifically crafted to fool the model. Generate perturbations that maximize model error while staying within realistic bounds, then train the model to correctly classify both original and perturbed examples. The model learns to be robust to the types of manipulation attackers might use.

Core Method: For each training example, compute the gradient of loss with respect to input features, then perturb features in the direction that increases loss. Add these adversarial examples to training with correct labels. The model learns smoother decision boundaries less susceptible to small input changes.

The Accuracy Trade-off

Adversarial training typically reduces accuracy on clean (non-adversarial) data by 2-5%. The model becomes more conservative, trading precision for robustness. This trade-off is often acceptable: a 3% accuracy drop that prevents 80% of adversarial attacks may be net positive for fraud detection where attack success costs more than false positives.

Computational Cost

Generating adversarial examples requires computing gradients for each training sample—typically 2-10x training time increase. Fast methods (FGSM - Fast Gradient Sign Method) are cheaper but less effective than iterative methods (PGD - Projected Gradient Descent). Balance computational budget against robustness requirements.

Production Insight: Apply adversarial training selectively to high-value models where attack risk is high. Not every model needs robustness—the computational cost may not be justified for low-stakes predictions.

Perturbation Bounds

Define realistic perturbation bounds based on what attackers can actually control. Fraudsters cannot change account age but can change transaction timing. Constrain adversarial perturbations to controllable features within realistic ranges.