Yaguan Qian,Xiaoyu Liang,Ming Kang,Bin Wang,Zhaoquan Gu,Xing Wang,Chunming Wu

DOI: https://doi.org/10.1142/s0218001422510156

IF: 1.261

2022-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:Adversarial training is by far one of the most effective methods to improve the robustness of deep neural networks against adversarial examples. However, the trade-off between robustness and accuracy is still a challenge in adversarial training. Previous methods used adversarial examples with a fixed perturbation budget or specific perturbation budgets for each example, which is inefficient in improving the trade-off and lacks the ability to control the trade-off flexibly. In this paper, we show that the largest element of logit, [Formula: see text], can roughly represent the minimum distance between an example and its neighboring decision boundary. Thus, we propose group adaptive adversarial training (GAAT) that divides the training dataset into several groups based on [Formula: see text] and develops a binary search algorithm to determine the group perturbation budgets for each group. Using the group perturbation budgets to perform adversarial training can fine-tune the trade-off between robustness and accuracy. Extensive experiments conducted on CIFAR-10 and ImageNet-30 show that our GAAT can achieve a more perfect trade-off than TRADES, MMA, and MART.

Dongxian Wu,Shu-tao Xia,Yisen Wang

DOI: https://doi.org/10.48550/arXiv.2004.05884

IF: 5.414

2020-04-13

Machine Learning

Abstract:The study on improving the robustness of deep neural networks against adversarial examples grows rapidly in recent years. Among them, adversarial training is the most promising one, which flattens the input loss landscape (loss change with respect to input) via training on adversarially perturbed examples. However, how the widely used weight loss landscape (loss change with respect to weight) performs in adversarial training is rarely explored. In this paper, we investigate the weight loss landscape from a new perspective, and identify a clear correlation between the flatness of weight loss landscape and robust generalization gap. Several well-recognized adversarial training improvements, such as early stopping, designing new objective functions, or leveraging unlabeled data, all implicitly flatten the weight loss landscape. Based on these observations, we propose a simple yet effective Adversarial Weight Perturbation (AWP) to explicitly regularize the flatness of weight loss landscape, forming a double-perturbation mechanism in the adversarial training framework that adversarially perturbs both inputs and weights. Extensive experiments demonstrate that AWP indeed brings flatter weight loss landscape and can be easily incorporated into various existing adversarial training methods to further boost their adversarial robustness.

Chaojian Yu,Dawei Zhou,Li Shen,Jun Yu,Bo Han,Mingming Gong,Nannan Wang,Tongliang Liu

DOI: https://doi.org/10.48550/arXiv.2210.01288

IF: 5.414

2022-10-04

Machine Learning

Abstract:Adversarial training (AT) is proved to reliably improve network's robustness against adversarial data. However, current AT with a pre-specified perturbation budget has limitations in learning a robust network. Firstly, applying a pre-specified perturbation budget on networks of various model capacities will yield divergent degree of robustness disparity between natural and robust accuracies, which deviates from robust network's desideratum. Secondly, the attack strength of adversarial training data constrained by the pre-specified perturbation budget fails to upgrade as the growth of network robustness, which leads to robust overfitting and further degrades the adversarial robustness. To overcome these limitations, we propose \emph{Strength-Adaptive Adversarial Training} (SAAT). Specifically, the adversary employs an adversarial loss constraint to generate adversarial training data. Under this constraint, the perturbation budget will be adaptively adjusted according to the training state of adversarial data, which can effectively avoid robust overfitting. Besides, SAAT explicitly constrains the attack strength of training data through the adversarial loss, which manipulates model capacity scheduling during training, and thereby can flexibly control the degree of robustness disparity and adjust the tradeoff between natural accuracy and robustness. Extensive experiments show that our proposal boosts the robustness of adversarial training.

Jiacheng Zhang,Feng Liu,Dawei Zhou,Jingfeng Zhang,Tongliang Liu

2024-06-02

Abstract:Adversarial training (AT) trains models using adversarial examples (AEs), which are natural images modified with specific perturbations to mislead the model. These perturbations are constrained by a predefined perturbation budget $\epsilon$ and are equally applied to each pixel within an image. However, in this paper, we discover that not all pixels contribute equally to the accuracy on AEs (i.e., robustness) and accuracy on natural images (i.e., accuracy). Motivated by this finding, we propose Pixel-reweighted AdveRsarial Training (PART), a new framework that partially reduces $\epsilon$ for less influential pixels, guiding the model to focus more on key regions that affect its outputs. Specifically, we first use class activation mapping (CAM) methods to identify important pixel regions, then we keep the perturbation budget for these regions while lowering it for the remaining regions when generating AEs. In the end, we use these pixel-reweighted AEs to train a model. PART achieves a notable improvement in accuracy without compromising robustness on CIFAR-10, SVHN and TinyImagenet-200, justifying the necessity to allocate distinct weights to different pixel regions in robust classification.

Computer Vision and Pattern Recognition,Machine Learning

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.36227/techrxiv.19609623.v1

2022-01-01

Abstract:Adversarial attack is to craft tiny perturbations on inputs, causing neural networks to give incorrect outputs with high confidence, while adversarial training is the de facto most successful method to obtain robust neural networks. Nevertheless, adversarial training suffers from robust overfitting: the increasing robustness gap between train and test datasets. This paper aims at reducing this robust overfitting (i.e., improving adversarially robust generalization / generalized adversarial robustness). Firstly, we study the robust bias-variance trade-off and find that the robust overfitting even happens on the simple dataset (100MNIST), which is considered free from that in previous research. Next, based on 100MNIST and Gaussian data, the correlation between feature augmentation and robust overfitting is analyzed on a theoretical basis. A novel insight is obtained: the augmentation on robust features can improve generalized adversarial robustness, through alleviating the over-optimization on non-robust features. Then, we propose a regularization term, Feature Alignment (FA), to guide synthesized sample directions. Adversarial FA aided Generative Adversarial Network, AFAGAN, generates samples aligning robust features, which can train more adversarially robust generalized models. Experiments on CIFAR10 show that augmented data of AFAGAN significantly improves the generalized adversarial robustness.

Olukorede Fakorede,Modeste Atsague,Jin Tian

2024-03-07

Abstract:Adversarial Training (AT) effectively improves the robustness of Deep Neural Networks (DNNs) to adversarial attacks. Generally, AT involves training DNN models with adversarial examples obtained within a pre-defined, fixed perturbation bound. Notably, individual natural examples from which these adversarial examples are crafted exhibit varying degrees of intrinsic vulnerabilities, and as such, crafting adversarial examples with fixed perturbation radius for all instances may not sufficiently unleash the potency of AT. Motivated by this observation, we propose two simple, computationally cheap vulnerability-aware reweighting functions for assigning perturbation bounds to adversarial examples used for AT, named Margin-Weighted Perturbation Budget (MWPB) and Standard-Deviation-Weighted Perturbation Budget (SDWPB). The proposed methods assign perturbation radii to individual adversarial samples based on the vulnerability of their corresponding natural examples. Experimental results show that the proposed methods yield genuine improvements in the robustness of AT algorithms against various adversarial attacks.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Tianjin Huang,Shiwei Liu,Tianlong Chen,Meng Fang,Li Shen,Vlado Menkovski,Lu Yin,Yulong Pei,Mykola Pechenizkiy

DOI: https://doi.org/10.1007/978-3-031-43412-9_7

2023-01-01

Abstract:Despite the fact that adversarial training has become the de facto method for improving the robustness of deep neural networks, it is well-known that vanilla adversarial training suffers from daunting robust overfitting, resulting in unsatisfactory robust generalization. A number of approaches have been proposed to address these drawbacks such as extra regularization, adversarial weights perturbation, and training with more data over the last few years. However, the robust generalization improvement is yet far from satisfactory. In this paper, we approach this challenge with a brand new perspective - refining historical optimization trajectories. We propose a new method namedWeighted OptimizationTrajectories (WOT) that leverages the optimization trajectories of adversarial training in time. We have conducted extensive experiments to demonstrate the effectiveness ofWOT under various state-of-the-art adversarial attacks. Our results showthatWOTintegrates seamlesslywith the existing adversarial training methods and consistently overcomes the robust overfitting issue, resulting in better adversarial robustness. For example, WOT boosts the robust accuracy of AT-PGD under AA-L8 attack by 1.53%6.11% and meanwhile increases the clean accuracy by 0.55%-5.47% across SVHN, CIFAR-10, CIFAR-100, and Tiny-ImageNet datasets.

Lin Li,Michael Spratling

2023-03-27

Abstract:Deep neural networks can be easily fooled into making incorrect predictions through corruption of the input by adversarial perturbations: human-imperceptible artificial noise. So far adversarial training has been the most successful defense against such adversarial attacks. This work focuses on improving adversarial training to boost adversarial robustness. We first analyze, from an instance-wise perspective, how adversarial vulnerability evolves during adversarial training. We find that during training an overall reduction of adversarial loss is achieved by sacrificing a considerable proportion of training samples to be more vulnerable to adversarial attack, which results in an uneven distribution of adversarial vulnerability among data. Such "uneven vulnerability", is prevalent across several popular robust training methods and, more importantly, relates to overfitting in adversarial training. Motivated by this observation, we propose a new adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). It jointly smooths both input and weight loss landscapes in an adaptive, instance-specific, way to enhance robustness more for those samples with higher adversarial vulnerability. Extensive experiments demonstrate the superiority of our method over existing defense methods. Noticeably, our method, when combined with the latest data augmentation and semi-supervised learning techniques, achieves state-of-the-art robustness against $\ell_{\infty}$-norm constrained attacks on CIFAR10 of 59.32% for Wide ResNet34-10 without extra data, and 61.55% for Wide ResNet28-10 with extra data. Code is available at <a class="link-external link-https" href="https://github.com/TreeLLi/Instance-adaptive-Smoothness-Enhanced-AT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Xuanming Fu,Zhengfeng Yang,Hao Xue,Jianlin Wang,Zhenbing Zeng

DOI: https://doi.org/10.1109/icpr56361.2022.9956608

2022-01-01

Abstract:Adversarial training is an efficacious defense approach to protect classification model against adversarial attacks. In this paper, we reveal that a significant difference exists between the feature map of the original sample and that of its corresponding adversarial version. Based on this main insight, we propose a novel robust training on feature-based adversarial examples approach called FPAT, where training examples are generated by maximizing the loss function between the clean and the adversarial feature maps. We show via extensive experiments on MNIST, SVHN and CIFAR-10, that our proposed method is as effective as the state-of-the-art robust training methods. Especially, when the adversarial perturbation is of a large radius or the number of adversarial steps of training samples is small, FPAT achieves leading robustness.

Shibin Liu,Yahong Han

DOI: https://doi.org/10.1007/s00371-023-03057-9

2024-01-01

Abstract:Recent research has shown the vulnerability of deep networks to adversarial perturbations. Adversarial training and its variants have been shown to be effective defense algorithms against adversarial attacks, enhancing the defense abilities of deep neural networks by training them to fit adversarial examples. However, the significant computational burden of generating strong adversarial examples has rendered the process time-consuming, presenting a challenge for efficient training. In this paper, we propose adversarial training with robust area (ATRA), a highly efficient variant of adversarial training. We experimentally find that certain pixels in the image play a crucial role in improving robust accuracy, which we refer to the collection of discrete pixels as the high-robust area. Based on the robust area of the input instance, ATRA generates adversarial examples by applying an adaptive perturbation. Furthermore, we investigate the transferability of the high-robust area during the attack iteration process and experimentally demonstrate its effectiveness. Therefore, ATRA has the advantage of reducing the additional cost of generating strong adversarial examples while maintaining model robustness. Our experimental results on MNIST, CIFAR10, and TinyImageNet show that our method outperforms current state-of-the-art baselines with significantly less additional training time required, especially on MNIST where our method requires 18 × less training time. Furthermore, our method also achieves good performance under different adversarial attacks such as FGSM, CW, and AutoAttack.

Chuanxi Chen,Dengpan Ye,Hao Wang,Long Tang,Yue Xu

DOI: https://doi.org/10.1109/trustcom56396.2022.00035

2022-01-01

Abstract:Recent works have demonstrated that neural networks are vulnerable to adversarial attacks, while adversarial training is promising for improving robustness of deep networks. However, these models still remain vulnerable to new types of attacks not seen due to representative general samples may not be provided during training. Moreover, substantially larger datasets are necessary in adversarial robust models than those required for standard training where labeled data is expensive. In this work, we propose a novel approach to adversarial robustness, which establishes on the insights from min-max optimization that more powerful adversarial perturbations lead to more robust defense. Our algorithm is called Adversarial Training with Multidimensional Perturbations (ATMP), aims at guiding networks learn strong representations through minimizing the distance between differently augmented views via adopting an innovative contrastive learning objective function in the latent space. By perturbing the representations corresponding to key robust features, more powerful adversarial perturbations could be obtained in self-supervised form during adversarial training. Besides, we can avoid label leaking to some extent because no label information is required in generating adversarial examples. Extensive experimental results on common benchmarks show that our method can achieve high robustness against various of representative adversarial attacks. We also compare it with the existing state-of-the-art techniques, and the experiments indicate that our method is superior.

Zhuoer Xu,Guanghui Zhu,Changhua Meng,Shiwen Cui,Zhenzhe Ying,Weiqiang Wang,Ming GU,Yihua Huang

DOI: https://doi.org/10.48550/arXiv.2210.03543

2022-01-01

Abstract: Based on the significant improvement of model robustness by AT (Adversarial Training), various variants have been proposed to further boost the performance. Well-recognized methods have focused on different components of AT (e.g., designing loss functions and leveraging additional unlabeled data). It is generally accepted that stronger perturbations yield more robust models. However, how to generate stronger perturbations efficiently is still missed. In this paper, we propose an efficient automated attacker called A2 to boost AT by generating the optimal perturbations on-the-fly during training. A2 is a parameterized automated attacker to search in the attacker space for the best attacker against the defense model and examples. Extensive experiments across different datasets demonstrate that A2 generates stronger perturbations with low extra cost and reliably improves the robustness of various AT methods against different attacks.

Chaojian Yu,Bo Han,Mingming Gong,Li Shen,Shiming Ge,Bo Du,Tongliang Liu

DOI: https://doi.org/10.48550/arXiv.2205.14826

IF: 5.414

2022-05-30

Machine Learning

Abstract:Overfitting widely exists in adversarial robust training of deep networks. An effective remedy is adversarial weight perturbation, which injects the worst-case weight perturbation during network training by maximizing the classification loss on adversarial examples. Adversarial weight perturbation helps reduce the robust generalization gap; however, it also undermines the robustness improvement. A criterion that regulates the weight perturbation is therefore crucial for adversarial training. In this paper, we propose such a criterion, namely Loss Stationary Condition (LSC) for constrained perturbation. With LSC, we find that it is essential to conduct weight perturbation on adversarial data with small classification loss to eliminate robust overfitting. Weight perturbation on adversarial data with large classification loss is not necessary and may even lead to poor robustness. Based on these observations, we propose a robust perturbation strategy to constrain the extent of weight perturbation. The perturbation strategy prevents deep networks from overfitting while avoiding the side effect of excessive weight perturbation, significantly improving the robustness of adversarial training. Extensive experiments demonstrate the superiority of the proposed method over the state-of-the-art adversarial training methods.

Xingjian Li,Dou Goodman,Ji Liu,Tao Wei,Dejing Dou

DOI: https://doi.org/10.3389/frai.2021.752831

2022-01-27

Abstract:Though deep neural networks have achieved the state of the art performance in visual classification, recent studies have shown that they are all vulnerable to the attack of adversarial examples. In this paper, we develop improved techniques for defending against adversarial examples. First, we propose an enhanced defense technique denoted Attention and Adversarial Logit Pairing (AT + ALP), which encourages both attention map and logit for the pairs of examples to be similar. When being applied to clean examples and their adversarial counterparts, AT + ALP improves accuracy on adversarial examples over adversarial training. We show that AT + ALP can effectively increase the average activations of adversarial examples in the key area and demonstrate that it focuses on discriminate features to improve the robustness of the model. Finally, we conduct extensive experiments using a wide range of datasets and the experiment results show that our AT + ALP achieves the state of the art defense performance. For example, on 17 Flower Category Database, under strong 200-iteration Projected Gradient Descent (PGD) gray-box and black-box attacks where prior art has 34 and 39% accuracy, our method achieves 50 and 51%. Compared with previous work, our work is evaluated under highly challenging PGD attack: the maximum perturbation ϵ ∈ {0.25, 0.5} i.e. L ∞ ∈ {0.25, 0.5} with 10-200 attack iterations. To the best of our knowledge, such a strong attack has not been previously explored on a wide range of datasets.

Keke Tang,Tianrui Lou,Xu He,Yawen Shi,Peican Zhu,Zhaoquan Gu

DOI: https://doi.org/10.1007/978-3-031-40283-8_28

2023-01-01

Abstract:Adversarial training (AT) is one of the most promising solutions for defending adversarial attacks. By exploiting the adversarial examples generated in the maximization step of AT, a large improvement on the robustness can be brought. However, by analyzing the original natural examples and the corresponding adversarial examples, we observe that a certain part of them are abnormal. In this paper, we propose a novel AT framework called anomaly-aware adversarial training (A $$^3$$ T), which utilizes different learning strategies for handling the one normal case and two abnormal cases of generating adversarial examples. Extensive experiments on three publicly available datasets with classifiers in three major network architectures demonstrate that A $$^3$$ T is effective in robustifying networks to adversarial attacks in both white/black-box settings and outperforms the state-of-the-art AT methods.

Haitao Zhang,Fan Jia,Quanxin Zhang,Yahong Han,Xiaohui Kuang,Yu-an Tan

DOI: https://doi.org/10.1109/icme46284.2020.9102777

2020-01-01

Abstract:Adversarial training increases robustness by augmenting training data with adversarial examples. However, vanilla adversarial training may be overfitting to certain adversarial attacks. Small perturbations in images bring in error which is gradually amplified when forwarded through the model so that the error leads to wrong classification. Besides, small perturbations will also distract classifier's attention to significant features that are relevant to the true label. In this paper, we propose a novel two-way feature-aligned and attention-rectified adversarial training (FAAR) to improve adversarial training (AT). FAAR utilizes two-way feature alignment and attention rectification to mitigate the problems mentioned above. FAAR effectively suppresses perturbations in lowlevel, high-level and global features by moving features of perturbed images towards those of clean images with twoway feature alignment. It also leads the model into focusing more on useful features which are correlated with true label through rectifying gradient-weighted attention. Besides, feature alignment activates attention rectification by reducing perturbations in high-level feature. Our proposed method FAAR surpasses other existing AT methods in three aspects. First, it pushes the model to keep invariant when dealing with different adversarial attacks and different magnitude of perturbations. Second, it can be applied to any convolution neural networks. Third, the training process is end-to-end. For experiments, FAAR shows promising defense performance on CIFAR-10 and ImageNet.

Minhao Cheng,Qi Lei,Pin-Yu Chen,Inderjit Dhillon,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.2002.06789

2020-02-17

Abstract:Adversarial training has become one of the most effective methods for improving robustness of neural networks. However, it often suffers from poor generalization on both clean and perturbed data. In this paper, we propose a new algorithm, named Customized Adversarial Training (CAT), which adaptively customizes the perturbation level and the corresponding label for each training sample in adversarial training. We show that the proposed algorithm achieves better clean and robust accuracy than previous adversarial training methods through extensive experiments.

Machine Learning

Zeping Ye,Zhigang Zeng,Bingrong Xu

DOI: https://doi.org/10.1109/icnc59488.2023.10462820

2023-01-01

Abstract:The deep neural network (DNN) can be fooled by introducing a small perturbation to the example. Adversarial training (AT) is proven to be one of the most effective methods to improve robustness. Although the latest works to improve AT can ensure the adversarial robustness of PGD, the exploration of the performance under more disturbances is lacking, which may lead to our misunderstanding of model generalization. Moreover, they sacrifice DNN’s performance of classifying clean examples, which is called clean performance. Research shows that overfitting will be caused by the cross-mixing of distributions between natural and adversarial examples. We discover that the primary cause of cross-mixing is using the same batch-normalization (BN) layer to normalize the natural and adversarial examples because their means and variances are substantially different. We propose a new defense method which is called probabilistic distributions alignment adversarial training (PDAT). It utilizes the model with a multi-BN structure, which contains natural BN (NBN) and adversarial BN (ABN) to normalize the natural and adversarial examples separately and calculate their corresponding probabilistic distributions. It mutually trains the model through the alignment of probabilistic distributions between NBN and ABN. The natural training (NT) process of NBN is utilized to guide the training process of ABN which is much more difficult. To ensure that the model learns the correct knowledge during the alignment process, we use dynamic weights and soft-decision schemes in the loss function. This alleviates the cross-mixing problem. We conduct experiments on CIFAR10 and CIFAR100 and verify that PDAT improves robustness across a wide range of attacks while maximally maintaining clean performance. This proves that PDAT generalizes better.

Zhaoxin Wang,Handing Wang,Cong Tian,Yaochu Jin

DOI: https://doi.org/10.1145/3581783.3612163

2023-01-01

Abstract:Adversarial training (AT) is one of the most effective ways for deep neural network models to resist adversarial examples. However, there is still a significant gap between robust training accuracy and testing accuracy. Although recent studies have shown that data augmentation can effectively reduce this gap, most methods heavily rely on generating large amounts of training data without considering which features are beneficial for model robustness, making them inefficient. To address the above issue, we propose a two-stage AT algorithm for image data that adopts different data augmentation strategies during the training process to improve model robustness. In the first stage, we focus on the convergence of the algorithm, which uses structure and texture information to guide AT. In the second stage, we introduce a strategy that randomly fuses the data features to generate diverse adversarial examples for AT. We compare our proposed algorithm with five state-of-the-art algorithms on three models, and the experimental results achieve the best robust accuracy under all evaluation metrics on the CIFAR10 dataset, demonstrating the superiority of our method.

Guang Lin,Chao Li,Jianhai Zhang,Toshihisa Tanaka,Qibin Zhao

2024-08-23

Abstract:The deep neural networks are known to be vulnerable to well-designed adversarial attacks. The most successful defense technique based on adversarial training (AT) can achieve optimal robustness against particular attacks but cannot generalize well to unseen attacks. Another effective defense technique based on adversarial purification (AP) can enhance generalization but cannot achieve optimal robustness. Meanwhile, both methods share one common limitation on the degraded standard accuracy. To mitigate these issues, we propose a novel pipeline to acquire the robust purifier model, named Adversarial Training on Purification (AToP), which comprises two components: perturbation destruction by random transforms (RT) and purifier model fine-tuned (FT) by adversarial loss. RT is essential to avoid overlearning to known attacks, resulting in the robustness generalization to unseen attacks, and FT is essential for the improvement of robustness. To evaluate our method in an efficient and scalable way, we conduct extensive experiments on CIFAR-10, CIFAR-100, and ImageNette to demonstrate that our method achieves optimal robustness and exhibits generalization ability against unseen attacks.

Computer Vision and Pattern Recognition,Artificial Intelligence