Giulio Zizzo,Ambrish Rawat,Mathieu Sinn,Beat Buesser

DOI: https://doi.org/10.48550/arXiv.2012.01791

IF: 5.414

2020-12-03

Machine Learning

Abstract:Federated learning (FL) is one of the most important paradigms addressing privacy and data governance issues in machine learning (ML). Adversarial training has emerged, so far, as the most promising approach against evasion threats on ML models. In this paper, we take the first known steps towards federated adversarial training (FAT) combining both methods to reduce the threat of evasion during inference while preserving the data privacy during training. We investigate the effectiveness of the FAT protocol for idealised federated settings using MNIST, Fashion-MNIST, and CIFAR10, and provide first insights on stabilising the training on the LEAF benchmark dataset which specifically emulates a federated learning environment. We identify challenges with this natural extension of adversarial training with regards to achieved adversarial robustness and further examine the idealised settings in the presence of clients undermining model convergence. We find that Trimmed Mean and Bulyan defences can be compromised and we were able to subvert Krum with a novel distillation based attack which presents an apparently "robust" model to the defender while in fact the model fails to provide robustness against simple attack modifications.

Xiaoyu Liang,Yaguan Qian,Jianchang Huang,Xiang Ling,Bin Wang,Chunming Wu,Wassim Swaileh

DOI: https://doi.org/10.1016/j.patrec.2023.07.009

2022-01-01

Abstract:The previous adversarial training methods tended to use a larger uniform perturbation budget to obtain an inclusive decision boundary, which improved robustness. However, this large uniform perturbation budget will bring an unnecessary increase in the margin along adversarial directions, causing heavy cross-over between natural and adversarial examples. It is not conducive to balancing the trade-off between robustness and natural accuracy. In this paper, we propose a novel adversarial training scheme, namely Moderate-Margin Adversarial Training (MMAT), to achieve a better trade-off. Specifically, we generate finer-grained adversarial examples to mitigate the cross-over between them and natural examples of neighboring classes. Meanwhile, we design a hybrid loss to learn adversarial examples and natural examples respectively to further obtain a moderate decision boundary. Extensive experiments show MMAT achieves high natural accuracy and robustness under both black-box and white-box attacks. Especially, state-of-the-art robustness and natural accuracy are achieved on SVHN.

Jie Zhang,Bo Li,Chen Chen,Lingjuan Lyu,Shuang Wu,Shouhong Ding,Chao Wu

DOI: https://doi.org/10.48550/arXiv.2302.09479

2023-02-19

Abstract:In Federated Learning (FL), models are as fragile as centrally trained models against adversarial examples. However, the adversarial robustness of federated learning remains largely unexplored. This paper casts light on the challenge of adversarial robustness of federated learning. To facilitate a better understanding of the adversarial vulnerability of the existing FL methods, we conduct comprehensive robustness evaluations on various attacks and adversarial training methods. Moreover, we reveal the negative impacts induced by directly adopting adversarial training in FL, which seriously hurts the test accuracy, especially in non-IID settings. In this work, we propose a novel algorithm called Decision Boundary based Federated Adversarial Training (DBFAT), which consists of two components (local re-weighting and global regularization) to improve both accuracy and robustness of FL systems. Extensive experiments on multiple datasets demonstrate that DBFAT consistently outperforms other baselines under both IID and non-IID settings.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yayu Luo,Tongzhijun Zhu,Zediao Liu,Tenglong Mao,Ziyi Chen,Huan Pi,Ying Lin

DOI: https://doi.org/10.1016/j.future.2024.06.030

IF: 7.307

2024-06-19

Future Generation Computer Systems

Abstract:As privacy concerns and regulatory constraints on data protection continue to grow, the distribution of collected data has become more dispersed, resembling a "data silo" style. To harness these data effectively without exchanging raw data, federated learning has emerged as a prominent solution. However, distributions of user-generated data often exhibit imbalances between devices and labels, which adversely affect model performance, especially in the presence of adversarial attacks, making models more susceptible. To address the challenge of balancing natural accuracy and robustness in federated training, especially under skewed label distribution scenarios, we propose a novel approach based on Generative Adversarial Networks for Federated Adversarial Training (GANFAT). GANFAT leverages GAN to enhance the authenticity and effectiveness of adversarial samples and addresses label distribution skew issues by incorporating class probability distribution information. Through a balanced interplay of natural accuracy loss and adversarial loss, GANFAT demonstrates significantly superior performance across multiple datasets under various settings compared to other frameworks. Particularly on the SVHN dataset, GANFAT achieves a remarkable 9.30% enhancement in robustness against FGSM attacks compared to the best baseline method (FedRBN). On the CIFAR-100 dataset, GANFAT showcases a noteworthy 6.68% improvement in natural accuracy compared to the best baseline method (CalFAT). GANFAT provides a powerful solution for confronting diverse attacks, yielding models comparable to those produced by centralized training. Experimental results underscore GANFAT's outstanding performance, offering a robust solution for scenarios characterized by uneven data distribution and adversarial attacks.

computer science, theory & methods

Yayu Luo,Tongzhijun Zhu,Zediao Liu,Tenglong Mao,Ziyi Chen,Huan Pi,Ying Lin

DOI: https://doi.org/10.1016/j.future.2024.06.030

2024-01-01

Abstract:As privacy concerns and regulatory constraints on data protection continue to grow, the distribution of collected data has become more dispersed, resembling a ”data silo” style. To harness these data effectively without exchanging raw data, federated learning has emerged as a prominent solution. However, distributions of user-generated data often exhibit imbalances between devices and labels, which adversely affect model performance, especially in the presence of adversarial attacks, making models more susceptible. To address the challenge of balancing natural accuracy and robustness in federated training, especially under skewed label distribution scenarios, we propose a novel approach based on Generative Adversarial Networks for Federated Adversarial Training (GANFAT). GANFAT leverages GAN to enhance the authenticity and effectiveness of adversarial samples and addresses label distribution skew issues by incorporating class probability distribution information. Through a balanced interplay of natural accuracy loss and adversarial loss, GANFAT demonstrates significantly superior performance across multiple datasets under various settings compared to other frameworks. Particularly on the SVHN dataset, GANFAT achieves a remarkable 9.30% enhancement in robustness against FGSM attacks compared to the best baseline method (FedRBN). On the CIFAR-100 dataset, GANFAT showcases a noteworthy 6.68% improvement in natural accuracy compared to the best baseline method (CalFAT). GANFAT provides a powerful solution for confronting diverse attacks, yielding models comparable to those produced by centralized training. Experimental results underscore GANFAT’s outstanding performance, offering a robust solution for scenarios characterized by uneven data distribution and adversarial attacks.

Yu Qiao,Chaoning Zhang,Apurba Adhikary,Choong Seon Hong

2024-04-10

Abstract:Federated learning (FL) is a privacy-preserving distributed framework for collaborative model training on devices in edge networks. However, challenges arise due to vulnerability to adversarial examples (AEs) and the non-independent and identically distributed (non-IID) nature of data distribution among devices, hindering the deployment of adversarially robust and accurate learning models at the edge. While adversarial training (AT) is commonly acknowledged as an effective defense strategy against adversarial attacks in centralized training, we shed light on the adverse effects of directly applying AT in FL that can severely compromise accuracy, especially in non-IID challenges. Given this limitation, this paper proposes FatCC, which incorporates local logit \underline{C}alibration and global feature \underline{C}ontrast into the vanilla federated adversarial training (\underline{FAT}) process from both logit and feature perspectives. This approach can effectively enhance the federated system's robust accuracy (RA) and clean accuracy (CA). First, we propose logit calibration, where the logits are calibrated during local adversarial updates, thereby improving adversarial robustness. Second, FatCC introduces feature contrast, which involves a global alignment term that aligns each local representation with unbiased global features, thus further enhancing robustness and accuracy in federated adversarial environments. Extensive experiments across multiple datasets demonstrate that FatCC achieves comparable or superior performance gains in both CA and RA compared to other baselines.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Chengze Jiang,Junkai Wang,Minjing Dong,Jie Gui,Xinli Shi,Yuan Cao,Yuan Yan Tang,James Tin-Yau Kwok

2024-09-26

Abstract:Adversarial training has achieved remarkable advancements in defending against adversarial attacks. Among them, fast adversarial training (FAT) is gaining attention for its ability to achieve competitive robustness with fewer computing resources. Existing FAT methods typically employ a uniform strategy that optimizes all training data equally without considering the influence of different examples, which leads to an imbalanced optimization. However, this imbalance remains unexplored in the field of FAT. In this paper, we conduct a comprehensive study of the imbalance issue in FAT and observe an obvious class disparity regarding their performances. This disparity could be embodied from a perspective of alignment between clean and robust accuracy. Based on the analysis, we mainly attribute the observed misalignment and disparity to the imbalanced optimization in FAT, which motivates us to optimize different training data adaptively to enhance robustness. Specifically, we take disparity and misalignment into consideration. First, we introduce self-knowledge guided regularization, which assigns differentiated regularization weights to each class based on its training state, alleviating class disparity. Additionally, we propose self-knowledge guided label relaxation, which adjusts label relaxation according to the training accuracy, alleviating the misalignment and improving robustness. By combining these methods, we formulate the Self-Knowledge Guided FAT (SKG-FAT), leveraging naturally generated knowledge during training to enhance the adversarial robustness without compromising training efficiency. Extensive experiments on four standard datasets demonstrate that the SKG-FAT improves the robustness and preserves competitive clean accuracy, outperforming the state-of-the-art methods.

Computer Vision and Pattern Recognition,Artificial Intelligence

Yu Qiao,Apurba Adhikary,Chaoning Zhang,Choong Seon Hong

2024-03-05

Abstract:Federated learning (FL) is a privacy-preserving distributed management framework based on collaborative model training of distributed devices in edge networks. However, recent studies have shown that FL is vulnerable to adversarial examples (AEs), leading to a significant drop in its performance. Meanwhile, the non-independent and identically distributed (non-IID) challenge of data distribution between edge devices can further degrade the performance of models. Consequently, both AEs and non-IID pose challenges to deploying robust learning models at the edge. In this work, we adopt the adversarial training (AT) framework to improve the robustness of FL models against adversarial example (AE) attacks, which can be termed as federated adversarial training (FAT). Moreover, we address the non-IID challenge by implementing a simple yet effective logits calibration strategy under the FAT framework, which can enhance the robustness of models when subjected to adversarial attacks. Specifically, we employ a direct strategy to adjust the logits output by assigning higher weights to classes with small samples during training. This approach effectively tackles the class imbalance in the training data, with the goal of mitigating biases between local and global models. Experimental results on three dataset benchmarks, MNIST, Fashion-MNIST, and CIFAR-10 show that our strategy achieves competitive results in natural and robust accuracy compared to several baselines.

Computer Vision and Pattern Recognition

Jianhua Wang,Xuyang Lei,Min Liang,Jelena Misic,Vojislav B. Misic,Xiaolin Chang

DOI: https://doi.org/10.1109/icc51166.2024.10622742

2024-01-01

Abstract:Federated Learning (FL), as a privacy-oriented distributed machine learning paradigm, can obtain a well-trained global model without private dataset transferring. Nevertheless, FL is subject to severe security threats of adversarial examples (AEs) with unnoticeable perturbations, generated by white-box attacks in honest-but-curious FL participants. Adversarial training is an effective solution to enhance the robustness of the model by identifying AEs as correct samples. However, the AE training efficiency is crucial in realistic scenarios of adversarial training, such as autonomous driving. Researchers have proposed the Fast Gradient Sign Method (FGSM) and its improvement to generate AEs rapidly. In this paper, we propose a novel optimizer-based FGSM, FastAdaBelief-based FGSM (FAB-FGSM), in order to generate AEs more efficiently and effectively. Benefitting from time-vary coefficients and a vanishing factor, FAB-FGSM realizes a more adaptive iteration step size than AdaBelief-based FGSM (AB-FGSM) and Adam-based FGSM (AI-FGSM). We explore the probable causes by recalling the theoretical analysis of three optimizers. Extensive experiment results demonstrate that compared to AB-FGSM and AI-FGSM, our FAB-FGSM achieves the fastest convergence and the best attack success rate in four target models, including Inception v3, Inception v4, Inception ResNet v2, ResNet-101.

Suchul Lee

DOI: https://doi.org/10.1109/access.2024.3426534

IF: 3.9

2024-07-19

IEEE Access

Abstract:Federated learning (FL) is a deep learning paradigm that allows clients to train deep learning models distributively, keeping raw data local rather than sending it to the cloud, thereby reducing security and privacy concerns. Although FL is designed to be inherently secure, it still has many vulnerabilities. In this paper, we consider an FL scenario where clients are subjected to an adversarial attack that exploits vulnerabilities in the decision-making process of deep learning models to induce misclassification. We observed that adversarial training has a trade-off relationship in which, as classification performance for adversarial examples increases, classification performance for normal samples decreases. To effectively utilize this trade-off relationship in adversarial training, we propose an adaptive selection scheme of the loss function depending on whether the FL client is attacked. The proposed scheme was experimentally proven to achieve the best robust accuracy while minimizing the decrease in natural accuracy. Further, we combined the proposed scheme with Byzantine-robust aggregation. We expected model training to converge stably because Byzantine-robust aggregation prevents highly distorted models from being aggregated, but we obtained experimental results that were contrary to our expectations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoxiao Li,Zhao Song,Jiaming Yang

DOI: https://doi.org/10.48550/arXiv.2208.03635

2022-08-07

Abstract:Federated learning (FL) is a trending training paradigm to utilize decentralized training data. FL allows clients to update model parameters locally for several epochs, then share them to a global model for aggregation. This training paradigm with multi-local step updating before aggregation exposes unique vulnerabilities to adversarial attacks. Adversarial training is a popular and effective method to improve the robustness of networks against adversaries. In this work, we formulate a general form of federated adversarial learning (FAL) that is adapted from adversarial learning in the centralized setting. On the client side of FL training, FAL has an inner loop to generate adversarial samples for adversarial training and an outer loop to update local model parameters. On the server side, FAL aggregates local model updates and broadcast the aggregated model. We design a global robust training loss and formulate FAL training as a min-max optimization problem. Unlike the convergence analysis in classical centralized training that relies on the gradient direction, it is significantly harder to analyze the convergence in FAL for three reasons: 1) the complexity of min-max optimization, 2) model not updating in the gradient direction due to the multi-local updates on the client-side before aggregation and 3) inter-client heterogeneity. We address these challenges by using appropriate gradient approximation and coupling techniques and present the convergence analysis in the over-parameterized regime. Our main result theoretically shows that the minimum loss under our algorithm can converge to $\epsilon$ small with chosen learning rate and communication rounds. It is noteworthy that our analysis is feasible for non-IID clients.

Machine Learning

Minxue Tang,Jianyi Zhang,Mingyuan Ma,Louis DiValentin,Aolin Ding,Amin Hassanzadeh,Hai Li,Yiran Chen

DOI: https://doi.org/10.48550/arXiv.2209.03839

2023-04-26

Abstract:Federated adversarial training can effectively complement adversarial robustness into the privacy-preserving federated learning systems. However, the high demand for memory capacity and computing power makes large-scale federated adversarial training infeasible on resource-constrained edge devices. Few previous studies in federated adversarial training have tried to tackle both memory and computational constraints simultaneously. In this paper, we propose a new framework named Federated Adversarial Decoupled Learning (FADE) to enable AT on heterogeneous resource-constrained edge devices. FADE differentially decouples the entire model into small modules to fit into the resource budget of each device, and each device only needs to perform AT on a single module in each communication round. We also propose an auxiliary weight decay to alleviate objective inconsistency and achieve better accuracy-robustness balance in FADE. FADE offers theoretical guarantees for convergence and adversarial robustness, and our experimental results show that FADE can significantly reduce the consumption of memory and computing power while maintaining accuracy and robustness.

Machine Learning

Minxue Tang,Yitu Wang,Jingyang Zhang,Louis DiValentin,Aolin Ding,Amin Hass,Yiran Chen,Hai "Helen" Li

2024-09-13

Abstract:Federated Learning (FL) provides a strong privacy guarantee by enabling local training across edge devices without training data sharing, and Federated Adversarial Training (FAT) further enhances the robustness against adversarial examples, promoting a step toward trustworthy artificial intelligence. However, FAT requires a large model to preserve high accuracy while achieving strong robustness, and it is impractically slow when directly training with memory-constrained edge devices due to the memory-swapping latency. Moreover, existing memory-efficient FL methods suffer from poor accuracy and weak robustness in FAT because of inconsistent local and global models, i.e., objective inconsistency. In this paper, we propose FedProphet, a novel FAT framework that can achieve memory efficiency, adversarial robustness, and objective consistency simultaneously. FedProphet partitions the large model into small cascaded modules such that the memory-constrained devices can conduct adversarial training module-by-module. A strong convexity regularization is derived to theoretically guarantee the robustness of the whole model, and we show that the strong robustness implies low objective inconsistency in FedProphet. We also develop a training coordinator on the server of FL, with Adaptive Perturbation Adjustment for utility-robustness balance and Differentiated Module Assignment for objective inconsistency mitigation. FedProphet empirically shows a significant improvement in both accuracy and robustness compared to previous memory-efficient methods, achieving almost the same performance of end-to-end FAT with 80% memory reduction and up to 10.8x speedup in training time.

Machine Learning,Artificial Intelligence

Yang Lu,Pinxin Qian,Gang Huang,Hanzi Wang

DOI: https://doi.org/10.1109/icassp49357.2023.10097083

2023-01-01

Abstract:Personalized Federated Learning (PFL) aims to learn personalized models for each client based on the knowledge across all clients in a privacy-preserving manner. Existing PFL methods generally assume that the underlying global data across all clients are uniformly distributed without considering the long-tail distribution. The joint problem of data heterogeneity and long-tail distribution in the FL environment is more challenging and severely affects the performance of personalized models. In this paper, we propose a PFL method called Federated Learning with Adversarial Feature Augmentation (FedAFA) to address this joint problem in PFL. FedAFA optimizes the personalized model for each client by producing a balanced feature set to enhance the local minority classes. The local minority class features are generated by transferring the knowledge from the local majority class features extracted by the global model in an adversarial example learning manner. The experimental results on benchmarks under different settings of data heterogeneity and long-tail distribution demonstrate that FedAFA significantly improves the personalized performance of each client compared with the state-of-the-art PFL algorithm. The code is available at https://github.com/pxqian/FedAFA.

Chen Chen,Yuchen Liu,Xingjun Ma,Lingjuan Lyu

DOI: https://doi.org/10.48550/arXiv.2205.14926

IF: 5.414

2022-05-30

Machine Learning

Abstract:Recent studies have shown that, like traditional machine learning, federated learning (FL) is also vulnerable to adversarial attacks. To improve the adversarial robustness of FL, federated adversarial training (FAT) methods have been proposed to apply adversarial training locally before global aggregation. Although these methods demonstrate promising results on independent identically distributed (IID) data, they suffer from training instability on non-IID data with label skewness, resulting in degraded natural accuracy. This tends to hinder the application of FAT in real-world applications where the label distribution across the clients is often skewed. In this paper, we study the problem of FAT under label skewness, and reveal one root cause of the training instability and natural accuracy degradation issues: skewed labels lead to non-identical class probabilities and heterogeneous local models. We then propose a Calibrated FAT (CalFAT) approach to tackle the instability issue by calibrating the logits adaptively to balance the classes. We show both theoretically and empirically that the optimization of CalFAT leads to homogeneous local models across the clients and better convergence points.

Giulio Zizzo,Ambrish Rawat,Mathieu Sinn,Sergio Maffeis,Chris Hankin

DOI: https://doi.org/10.48550/arXiv.2112.10525

2021-12-20

Abstract:In federated learning (FL), robust aggregation schemes have been developed to protect against malicious clients. Many robust aggregation schemes rely on certain numbers of benign clients being present in a quorum of workers. This can be hard to guarantee when clients can join at will, or join based on factors such as idle system status, and connected to power and WiFi. We tackle the scenario of securing FL systems conducting adversarial training when a quorum of workers could be completely malicious. We model an attacker who poisons the model to insert a weakness into the adversarial training such that the model displays apparent adversarial robustness, while the attacker can exploit the inserted weakness to bypass the adversarial training and force the model to misclassify adversarial examples. We use abstract interpretation techniques to detect such stealthy attacks and block the corrupted model updates. We show that this defence can preserve adversarial robustness even against an adaptive attacker.

Machine Learning,Cryptography and Security

Teng Liu,Hao Wu,Xidong Sun,Chaojie Niu,Hao Yin

DOI: https://doi.org/10.3390/electronics13214187

IF: 2.9

2024-10-26

Electronics

Abstract:Federated Learning (FL), as a distributed machine learning method, is particularly suitable for training models that require large amounts of data while meeting increasingly strict data privacy and security requirements. Although FL effectively protects the privacy of participants by avoiding the sharing of raw data, balancing the risks of privacy leakage with model performance remains a significant challenge. To address this, this paper proposes a new algorithm—FL-APB (Federated Learning with Adversarial Privacy–Performance Balancing). This algorithm combines adversarial training with privacy-protection mechanisms to dynamically adjust privacy and performance budgets, optimizing the balance between the two while enhancing and ensuring performance. The experimental results demonstrate that the FL-APB algorithm significantly improves model performance across various adversarial training scenarios, while effectively protecting the privacy of participants through adversarial training of privacy data.

engineering, electrical & electronic,computer science, information systems,physics, applied

Junyuan Hong,Zhuangdi Zhu,Shuyang Yu,Zhangyang Wang,Hiroko H. Dodge,Jiayu Zhou

DOI: https://doi.org/10.1145/3447548.3467281

2021-08-14

Abstract:Federated learning is a distributed learning framework that is communication efficient and provides protection over participating users' raw training data. One outstanding challenge of federate learning comes from the users' heterogeneity, and learning from such data may yield biased and unfair models for minority groups. While adversarial learning is commonly used in centralized learning for mitigating bias, there are significant barriers when extending it to the federated framework. In this work, we study these barriers and address them by proposing a novel approach Federated Adversarial DEbiasing (FADE). FADE does not require users' sensitive group information for debiasing and offers users the freedom to opt-out from the adversarial component when privacy or computational costs become a concern. We show that ideally, FADE can attain the same global optimality as the one by the centralized algorithm. We then analyze when its convergence may fail in practice and propose a simple yet effective method to address the problem. Finally, we demonstrate the effectiveness of the proposed framework through extensive empirical studies, including the problem settings of unsupervised domain adaptation and fair learning. Our codes and pre-trained models are available at: https://github.com/illidanlab/FADE.

Xiaojun Jia,Yuefeng Chen,Xiaofeng Mao,Ranjie Duan,Jindong Gu,Rong Zhang,Hui Xue,Xiaochun Cao

2023-08-22

Abstract:Fast Adversarial Training (FAT) not only improves the model robustness but also reduces the training cost of standard adversarial training. However, fast adversarial training often suffers from Catastrophic Overfitting (CO), which results in poor robustness performance. Catastrophic Overfitting describes the phenomenon of a sudden and significant decrease in robust accuracy during the training of fast adversarial training. Many effective techniques have been developed to prevent Catastrophic Overfitting and improve the model robustness from different perspectives. However, these techniques adopt inconsistent training settings and require different training costs, i.e, training time and memory costs, leading to unfair comparisons. In this paper, we conduct a comprehensive study of over 10 fast adversarial training methods in terms of adversarial robustness and training costs. We revisit the effectiveness and efficiency of fast adversarial training techniques in preventing Catastrophic Overfitting from the perspective of model local nonlinearity and propose an effective Lipschitz regularization method for fast adversarial training. Furthermore, we explore the effect of data augmentation and weight averaging in fast adversarial training and propose a simple yet effective auto weight averaging method to improve robustness further. By assembling these techniques, we propose a FGSM-based fast adversarial training method equipped with Lipschitz regularization and Auto Weight averaging, abbreviated as FGSM-LAW. Experimental evaluations on four benchmark databases demonstrate the superiority of the proposed method over state-of-the-art fast adversarial training methods and the advanced standard adversarial training methods.

Computer Vision and Pattern Recognition

Mengnan Zhao,Lihe Zhang,Yuqiu Kong,Baocai Yin

2023-08-24

Abstract:Fast adversarial training (FAT) is beneficial for improving the adversarial robustness of neural networks. However, previous FAT work has encountered a significant issue known as catastrophic overfitting when dealing with large perturbation budgets, \ie the adversarial robustness of models declines to near zero during training. To address this, we analyze the training process of prior FAT work and observe that catastrophic overfitting is accompanied by the appearance of loss convergence outliers. Therefore, we argue a moderately smooth loss convergence process will be a stable FAT process that solves catastrophic overfitting. To obtain a smooth loss convergence process, we propose a novel oscillatory constraint (dubbed ConvergeSmooth) to limit the loss difference between adjacent epochs. The convergence stride of ConvergeSmooth is introduced to balance convergence and smoothing. Likewise, we design weight centralization without introducing additional hyperparameters other than the loss balance coefficient. Our proposed methods are attack-agnostic and thus can improve the training stability of various FAT techniques. Extensive experiments on popular datasets show that the proposed methods efficiently avoid catastrophic overfitting and outperform all previous FAT methods. Code is available at \url{<a class="link-external link-https" href="https://github.com/FAT-CS/ConvergeSmooth" rel="external noopener nofollow">this https URL</a>}.

Machine Learning