Jieyu Lin,Wei Liu,Jiajie Zou,Nai Ding

DOI: https://doi.org/10.1007/978-981-99-6207-5_19

2023-01-01

Abstract:Pre-trained language models are sensitive to adversarial attacks, and recent works have demonstrated universal adversarial attacks that can apply input-agnostic perturbations to mislead models. Here, we demonstrate that universal adversarial attacks can also be used to harden NLP models. Based on NLI task, we propose a simple universal adversarial attack that can mislead models to produce the same output for all premises by replacing the original hypothesis with an irrelevant string of words. To defend against this attack, we propose Training with UNiversal Adversarial Samples (TUNAS), which iteratively generates universal adversarial samples and utilizes them for fine-tuning. The method is tested on two datasets, i.e., MNLI and SNLI. It is demonstrated that, TUNAS can reduce the mean success rate of the universal adversarial attack from above 79% to below 5%, while maintaining similar performance on the original datasets. Furthermore, TUNAS models are also more robust to the attack targeting at individual samples: When search for hypotheses that are best entailed by a premise, the hypotheses found by TUNAS models are more compatible with the premise than those found by baseline models. In sum, we use universal adversarial attack to yield more robust models.

Xiaoyu Liang,Yaguan Qian,Jianchang Huang,Xiang Ling,Bin Wang,Chunming Wu,Wassim Swaileh

DOI: https://doi.org/10.1016/j.patrec.2023.07.009

2022-01-01

Abstract:The previous adversarial training methods tended to use a larger uniform perturbation budget to obtain an inclusive decision boundary, which improved robustness. However, this large uniform perturbation budget will bring an unnecessary increase in the margin along adversarial directions, causing heavy cross-over between natural and adversarial examples. It is not conducive to balancing the trade-off between robustness and natural accuracy. In this paper, we propose a novel adversarial training scheme, namely Moderate-Margin Adversarial Training (MMAT), to achieve a better trade-off. Specifically, we generate finer-grained adversarial examples to mitigate the cross-over between them and natural examples of neighboring classes. Meanwhile, we design a hybrid loss to learn adversarial examples and natural examples respectively to further obtain a moderate decision boundary. Extensive experiments show MMAT achieves high natural accuracy and robustness under both black-box and white-box attacks. Especially, state-of-the-art robustness and natural accuracy are achieved on SVHN.

Boxi Wu,Heng Pan,Li Shen,Jindong Gu,Shuai Zhao,Zhifeng Li,Deng Cai,Xiaofei He,Wei Liu

DOI: https://doi.org/10.48550/arXiv.2106.04938

IF: 5.414

2021-06-09

Machine Learning

Abstract:It is well known that adversarial attacks can fool deep neural networks with imperceptible perturbations. Although adversarial training significantly improves model robustness, failure cases of defense still broadly exist. In this work, we find that the adversarial attacks can also be vulnerable to small perturbations. Namely, on adversarially-trained models, perturbing adversarial examples with a small random noise may invalidate their misled predictions. After carefully examining state-of-the-art attacks of various kinds, we find that all these attacks have this deficiency to different extents. Enlightened by this finding, we propose to counter attacks by crafting more effective defensive perturbations. Our defensive perturbations leverage the advantage that adversarial training endows the ground-truth class with smaller local Lipschitzness. By simultaneously attacking all the classes, the misled predictions with larger Lipschitzness can be flipped into correct ones. We verify our defensive perturbation with both empirical experiments and theoretical analyses on a linear model. On CIFAR10, it boosts the state-of-the-art model from 66.16% to 72.66% against the four attacks of AutoAttack, including 71.76% to 83.30% against the Square attack. On ImageNet, the top-1 robust accuracy of FastAT is improved from 33.18% to 38.54% under the 100-step PGD attack.

Yun Zhang,Hongwei Li,Guowen Xu,Shuai Yuan,Xiaoming Huang

DOI: https://doi.org/10.1007/s12083-021-01178-3

2021-06-07

Abstract:Adversarial training has become one of the most widely used methods to defense the attack of adversarial examples, since its properties of improving the robustness of neural networks. To achieve this, many representative works have been proposed to optimize the hyper-parameters in the adversarial training, so as to obtain the optimal trade-off between model classification accuracy and robustness. However, existing works are still in its infancy, especially in terms of model accuracy and training efficiency. In this paper, we propose Specific Adversarial Training(SAT), a novel framework to solve this challenge. Specifically, SAT improves the process of adversarial training by crafting specific perturbation and label for each data point. With this, these generated samples can close and properly cross the decision boundary meanwhile obtain an ideal label, which performs a positive effects in adversarial training. Experimental results show that our method can achieve 88.62% natural accuracy while the adversarial accuracy also improve from 43.79% to 52.34% in the CIFAR-10 dataset. Meanwhile, we achieve a higher efficiency compared to prior works.

computer science, information systems,telecommunications

Kexue Ma,Guitao Cao,Mengqian Xu,Chunwei Wu,Hong Wang,Wenming Cao

DOI: https://doi.org/10.1109/IJCNN54540.2023.10191447

2023-01-01

Abstract:Universal attack generates image-agnostic perturbation called universal adversarial perturbation (UAP), which can be added to all samples in the data distribution to fool the classifier. However, a universal perturbation will likely mislead the classifier to identify most adversarial examples as the same label, resulting in the imbalance of attack strength between classes. In this paper, we propose class-balanced UAPs that enlarge the dispersion of the predicted labels for adversarial examples. To ensure attack strength and balance simultaneously, we design a novel diversity objective containing probability calibration and penalty regularizer, which fully considers the predicted label distribution between samples and the predicted probability distribution within samples. Furthermore, we apply class-balanced attacks in adversarial training to defend against universal perturbations since the class-balanced UAP provides diverse perturbation directions. We correspondingly reformulate adversarial training from the min-max optimization problem into a new two-stage framework. Experiments on several benchmark datasets demonstrate that the class-balanced attack achieves better performance than the universal attack, while adversarial training with class-balanced UAP achieves state-of-the-art results in clean accuracy and robustness to universal perturbations.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Tian Ye,Rajgopal Kannan,Viktor Prasanna

2024-11-27

Abstract:Adversarial training has emerged as an effective approach to train robust neural network models that are resistant to adversarial attacks, even in low-label regimes where labeled data is scarce. In this paper, we introduce a novel semi-supervised adversarial training approach that enhances both robustness and natural accuracy by generating effective adversarial examples. Our method begins by applying linear interpolation between clean and adversarial examples to create interpolated adversarial examples that cross decision boundaries by a controlled margin. This sample-aware strategy tailors adversarial examples to the characteristics of each data point, enabling the model to learn from the most informative perturbations. Additionally, we propose a global epsilon scheduling strategy that progressively adjusts the upper bound of perturbation strengths during training. The combination of these strategies allows the model to develop increasingly complex decision boundaries with better robustness and natural accuracy. Empirical evaluations show that our approach effectively enhances performance against various adversarial attacks, such as PGD and AutoAttack.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Xiaowei Zhou,Ivor W. Tsang,Jie Yin

DOI: https://doi.org/10.1007/s10994-022-06203-x

IF: 5.414

2022-09-11

Machine Learning

Abstract:Deep Neural Networks (DNNs) have recently achieved great success in many classification tasks. Unfortunately, they are vulnerable to adversarial attacks that generate adversarial examples with a small perturbation to fool DNN models, especially in model sharing scenarios. Adversarial training is proved to be the most effective strategy that injects adversarial examples into model training to improve the robustness of DNN models against adversarial attacks. However, adversarial training based on the existing adversarial examples fails to generalize well to standard, unperturbed test data. To achieve a better trade-off between standard accuracy and adversarial robustness, we propose a novel adversarial training framework called LAtent bounDary-guided aDvErsarial tRaining (LADDER) that adversarially trains DNN models on latent boundary-guided adversarial examples. As opposed to most of the existing methods that generate adversarial examples in the input space, LADDER generates a myriad of high-quality adversarial examples through adding perturbations to latent features. The perturbations are made along the normal of the decision boundary constructed by an SVM with an attention mechanism. We analyze the merits of our generated boundary-guided adversarial examples from a boundary field perspective and visualization view. Extensive experiments and detailed analysis on MNIST, SVHN, CelebA, and CIFAR-10 validate the effectiveness of LADDER in achieving a better trade-off between standard accuracy and adversarial robustness as compared with vanilla DNNs and competitive baselines.

computer science, artificial intelligence

Kun Yan,Luyi Yang,Zhanpeng Yang,Wenjuan Ren

DOI: https://doi.org/10.3390/sym16101363

2024-10-15

Symmetry

Abstract:Deep neural network models are vulnerable to attacks from adversarial methods, such as gradient attacks. Evening small perturbations can cause significant differences in their predictions. Adversarial training (AT) aims to improve the model's adversarial robustness against gradient attacks by generating adversarial samples and optimizing the adversarial training objective function of the model. Existing methods mainly focus on improving robust accuracy, balancing natural and robust accuracy and suppressing robust overfitting. They rarely consider the AT problem from the characteristics of deep neural networks themselves, such as the stability properties under certain conditions. From a mathematical perspective, deep neural networks with stable training processes may have a better ability to suppress overfitting, as their training process is smoother and avoids sudden drops in performance. We provide a proof of the existence of Ulam stability for deep neural networks. Ulam stability not only determines the existence of the solution for an operator inequality, but it also provides an error bound between the exact and approximate solutions. The feature subspace of a deep neural network with Ulam stability can be accurately characterized and constrained by a function with special properties and a controlled error boundary constant. This restricted feature subspace leads to a more stable training process. Based on these properties, we propose an adversarial training framework called Ulam stability adversarial training (US-AT). This framework can incorporate different Ulam stability conditions and benchmark AT models, optimize the construction of the optimal feature subspace, and consistently improve the model's robustness and training stability. US-AT is simple and easy to use, and it can be easily integrated with existing multi-class AT models, such as GradAlign and TRADES. Experimental results show that US-AT methods can consistently improve the robust accuracy and training stability of benchmark models.

multidisciplinary sciences

Lin Li,Michael Spratling

2023-03-27

Abstract:Deep neural networks can be easily fooled into making incorrect predictions through corruption of the input by adversarial perturbations: human-imperceptible artificial noise. So far adversarial training has been the most successful defense against such adversarial attacks. This work focuses on improving adversarial training to boost adversarial robustness. We first analyze, from an instance-wise perspective, how adversarial vulnerability evolves during adversarial training. We find that during training an overall reduction of adversarial loss is achieved by sacrificing a considerable proportion of training samples to be more vulnerable to adversarial attack, which results in an uneven distribution of adversarial vulnerability among data. Such "uneven vulnerability", is prevalent across several popular robust training methods and, more importantly, relates to overfitting in adversarial training. Motivated by this observation, we propose a new adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). It jointly smooths both input and weight loss landscapes in an adaptive, instance-specific, way to enhance robustness more for those samples with higher adversarial vulnerability. Extensive experiments demonstrate the superiority of our method over existing defense methods. Noticeably, our method, when combined with the latest data augmentation and semi-supervised learning techniques, achieves state-of-the-art robustness against $\ell_{\infty}$-norm constrained attacks on CIFAR10 of 59.32% for Wide ResNet34-10 without extra data, and 61.55% for Wide ResNet28-10 with extra data. Code is available at <a class="link-external link-https" href="https://github.com/TreeLLi/Instance-adaptive-Smoothness-Enhanced-AT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Zhenyu Liu,Haoran Duan,Huizhi Liang,Yang Long,Vaclav Snasel,Guiseppe Nicosia,Rajiv Ranjan,Varun Ojha

2024-08-23

Abstract:Adversarial training is one of the most effective methods for enhancing model robustness. Recent approaches incorporate adversarial distillation in adversarial training architectures. However, we notice two scenarios of defense methods that limit their performance: (1) Previous methods primarily use static ground truth for adversarial training, but this often causes robust overfitting; (2) The loss functions are either Mean Squared Error or KL-divergence leading to a sub-optimal performance on clean accuracy. To solve those problems, we propose a dynamic label adversarial training (DYNAT) algorithm that enables the target model to gradually and dynamically gain robustness from the guide model's decisions. Additionally, we found that a budgeted dimension of inner optimization for the target model may contribute to the trade-off between clean accuracy and robust accuracy. Therefore, we propose a novel inner optimization method to be incorporated into the adversarial training. This will enable the target model to adaptively search for adversarial examples based on dynamic labels from the guiding model, contributing to the robustness of the target model. Extensive experiments validate the superior performance of our approach.

Machine Learning,Computer Vision and Pattern Recognition

Maosen Li,Yanhua Yang,Kun Wei,Xu Yang,Heng Huang

DOI: https://doi.org/10.1609/aaai.v36i2.20023

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep learning models have shown to be susceptible to universal adversarial perturbation (UAP), which has aroused wide concerns in the community. Compared with the conventional adversarial attacks that generate adversarial samples at the instance level, UAP can fool the target model for different instances with only a single perturbation, enabling us to evaluate the robustness of the model from a more effective and accurate perspective. The existing universal attack methods fail to exploit the differences and connections between the instance and universal levels to produce dominant perturbations. To address this challenge, we propose a new universal attack method that unifies instance-specific and universal attacks from a feature perspective to generate a more dominant UAP. Specifically, we reformulate the UAP generation task as a minimax optimization problem and then utilize the instance-specific attack method to solve the minimization problem thereby obtaining better training data for generating UAP. At the same time, we also introduce a consistency regularizer to explore the relationship between training data, thus further improving the dominance of the generated UAP. Furthermore, our method is generic with no additional assumptions about the training data and hence can be applied to both data-dependent (supervised) and data-independent (unsupervised) manners. Extensive experiments demonstrate that the proposed method improves the performance by a significant margin over the existing methods in both data-dependent and data-independent settings. Code is available at https://github.com/lisenxd/AT-UAP.

Chaohao Fu,Hongbin Chen,Na Ruan,Weijia Jia

2020-01-01

Abstract: Recent studies indicate that current adversarial attack methods are flawed and easy to fail when encountering some deliberately designed defense. Sometimes even a slight modification in the model details will invalidate the attack. We find that training model with label smoothing can easily achieve striking accuracy under most gradient-based attacks. For instance, the robust accuracy of a WideResNet model trained with label smoothing on CIFAR-10 achieves 75% at most under PGD attack. To understand the reason underlying the subtle robustness, we investigate the relationship between label smoothing and adversarial robustness. Through theoretical analysis about the characteristics of the network trained with label smoothing and experiment verification of its performance under various attacks. We demonstrate that the robustness produced by label smoothing is incomplete based on the fact that its defense effect is volatile, and it cannot defend attacks transferred from a naturally trained model. Our study enlightens the research community to rethink how to evaluate the model's robustness appropriately.

Lingyun Jiang,Kai Qiao,Ruoxi Qin,Jian Chen,Haibing Bu,Bin Yan

DOI: https://doi.org/10.1145/3351917.3351987

2019-01-01

Abstract:Although deep neural networks (DNNs) could achieve state-of-the-art performance while recognizing images, they often vulnerable to adversarial examples where input intended to be added the small magnitude perturbations may mislead them to incorrect results. It is worth researching on defending against adversarial examples due to the potential security threats. In this paper, we propose an unsupervised method for eliminating adversarial perturbation based on disentangled representations. To achieve adversarial defense, we propose extracting the content and perturbation features of adversarial examples by content encoders and perturbation encoders. Meanwhile, to handle the unpaired training data, we introduce a cross-cycle consistency loss based on disentangled representations and a perturbation branch. We also add an adversarial loss on recovered images to make DNNs predict right. Qualitative results show that our method can eliminate adversarial perturbation without paired training data. We perform extensive experiments on two public datasets MNIST and CIFAR10, which is shown the efficiency of resisting adversarial examples.

Jianing Zhu,Jingfeng Zhang,Bo Han,Tongliang Liu,Gang Niu,Hongxia Yang,Mohan Kankanhalli,Masashi Sugiyama

DOI: https://doi.org/10.48550/arXiv.2102.03482

2021-02-09

Abstract:Noisy labels (NL) and adversarial examples both undermine trained models, but interestingly they have hitherto been studied independently. A recent adversarial training (AT) study showed that the number of projected gradient descent (PGD) steps to successfully attack a point (i.e., find an adversarial example in its proximity) is an effective measure of the robustness of this point. Given that natural data are clean, this measure reveals an intrinsic geometric property -- how far a point is from its class boundary. Based on this breakthrough, in this paper, we figure out how AT would interact with NL. Firstly, we find if a point is too close to its noisy-class boundary (e.g., one step is enough to attack it), this point is likely to be mislabeled, which suggests to adopt the number of PGD steps as a new criterion for sample selection for correcting NL. Secondly, we confirm AT with strong smoothing effects suffers less from NL (without NL corrections) than standard training (ST), which suggests AT itself is an NL correction. Hence, AT with NL is helpful for improving even the natural accuracy, which again illustrates the superiority of AT as a general-purpose robust learning criterion.

Machine Learning

Jun Tang,Yuchen Huang,Zhi Mou,Shiyu Wang,Yuanyuan Zhang,Bing Guo

DOI: https://doi.org/10.1080/10589759.2023.2249581

2024-01-01

Nondestructive Testing And Evaluation

Abstract:With further research into neural networks, their scope of application is becoming increasingly extensive. Among these, more neural network models are used in text classification tasks and have achieved excellent results. However, the crucial issue of derived adversarial examples has dramatically affected the stability and robustness of the neural network model. This issue confines the further expansion of the neural network application, especially in some security-sensitive tasks. Concerning the text classification task, our proposed DAT-LP (Defence with Adversarial Training Based on Local Perturbation) algorithm is designed to address the adversarial example issue, which uses local perturbation to enhance model performance based on adversarial training. Furthermore, SW-CStart (Cold-start Algorithm Based on Sliding Window) algorithm is designed to realise adversarial training in the model's initialisation stage. The DAT-LP algorithm is evaluated by comparing with three baselines, including baseline models (BiLSTM, TextCNN), Dropout(regularisation method), and ADT (Adversarial Training method), respectively. As it turns out, DAT-LP's performance is superior and demonstrates the best generalisation ability.

Pratyush Maini,Xinyun Chen,Bo Li,D. Song

2020-01-01

Abstract:Despite the recent advances in defenses against adversarial attacks, deep neural networks typically stay vulnerable to adversaries outside the perturbation type they are trained to be robust against. Recent work has aimed to improve the robustness of a single model against the union of multiple perturbation types, e.g., (cid:96) 1 , (cid:96) 2 and (cid:96) ∞ . However, when evaluating their accuracy against each individual perturbation type, they still do not match the performance of models trained specifically for that single perturbation type. To close this gap, we propose Classify Then Predict (CTP) , a two-stage pipeline to improve the robustness against the union of multiple perturbation types. Instead of training a single label predictor for different perturbation types, CTP first classifies the perturbation type of the input, and then leverages a label predictor specifically trained against that adversary to provide the final prediction. We first provide a theoretical analysis to show that adversarial examples with different perturbation types constitute different distributions, which makes it possible to distinguish them. Further, we show that at test time, the adversary faces a natural trade-off between fooling the attack classifier and the robust label predictor, and as a result, is unable to plant strong attacks against the pipeline. On MNIST, our approach achieves a 10% improvement on the overall adversarial accuracy against the union of (cid:96) 1 , (cid:96) 2 , (cid:96) ∞ perturbation balls.

Haoran Gao,Hua Zhang,Xin Zhang,Wenmin Li,Jiahui Wang,Fei Gao

DOI: https://doi.org/10.1016/j.neunet.2023.06.006

IF: 7.8

2023-06-10

Neural Networks

Abstract:The main aim of class discriminative universal adversarial perturbations (CD-UAPs) is that the adversary can flexibly control the targeted class and influence remaining classes limitedly. CD-UAPs generated by the existing attack strategies suffer from a high fooling ratio of non-targeted source classes under non-targeted and targeted attacks, and face the increasing risk of discovery. In this paper, we propose a training framework for generating enhanced covertness CD-UAPs. It trains the targeted source class set and the non-targeted source classes set alternately to update the perturbation and introduces logit pairing to mitigate the influence of perturbation on the non-targeted source classes set. Further, we extend CD-UAPs on the targeted (one-targeted) attack to the multi-targeted attack, which perturbs a targeted source class to multiple targeted sink classes that seriously threaten the current scenario. It can not only provides the adversary with freedom of precise attack but reduces the risk of being detected. This attack poses a strong threat to security-sensitive applications. Extensive experiments on the CIFAR-10, CIFAR-100 and ImageNet datasets show our method can generate more deceptive perturbations and enhance the covertness of CD-UAPs. For example, our method improves the absolute fooling ratio gaps of ResNet-20 and VGG-16 by 9.46% and 6.94% compared with the baseline method, respectively. We achieve the multi-targeted attack with a high fooling ratio on the GTSRB dataset. The average absolute target fooling ratio gaps of ResNet-20 and VGG-16 are 81.89% and 76.33%, respectively.

computer science, artificial intelligence,neurosciences

Chuanbiao Song,Yanbo Fan,Aoyang Zhou,Baoyuan Wu,Yiming Li,Zhifeng Li,Kun He

DOI: https://doi.org/10.1007/s11263-024-02103-w

IF: 13.369

2024-05-19

International Journal of Computer Vision

Abstract:Adversarial training (AT) has been demonstrated as one of the most promising defense methods against various adversarial attacks. To our knowledge, existing AT-based methods usually train with the locally most adversarial perturbed points and treat all the perturbed points equally, which may lead to considerably weaker adversarial robust generalization on test data. In this work, we introduce a new adversarial training framework that considers the diversity as well as characteristics of the perturbed points in the vicinity of benign samples. To realize the framework, we propose a Regional Adversarial Training (RAT) defense method that first utilizes the attack path generated by the typical iterative attack method of projected gradient descent (PGD), and constructs an adversarial region based on the attack path. Then, RAT samples diverse perturbed training points efficiently inside this region, and utilizes a distance-aware label smoothing mechanism to capture our intuition that perturbed points at different locations should have different impact on the model performance. Extensive experiments on several benchmark datasets show that RAT consistently makes significant improvement on standard adversarial training (SAT), and exhibits better robust generalization.

computer science, artificial intelligence

Jinyin Chen,Xiang Lin,Hui Xiong,Yangyang Wu,Haibin Zheng,Qi Xuan

DOI: https://doi.org/10.1109/tcss.2020.3042628

2020-01-01

IEEE Transactions on Computational Social Systems

Abstract:Recently, a graph neural network (GNN) was proposed to analyze various graphs/networks, which has been proven to outperform many other network analysis methods. However, it is also shown that such state-of-the-art methods suffer from adversarial attacks, i.e., carefully crafted adversarial networks with slight perturbation on clean one may invalid these methods on lots of applications, such as network embedding, node classification, link prediction, and community detection. Adversarial training has been testified as an efficient defense strategy against adversarial attacks in computer vision and graph mining. However, almost all the algorithms based on adversarial training focus on global defense through overall adversarial training. In a more practical scene, certain users would be targeted to attack, i.e., specific labeled users. It is still a challenge to defend against target node attack by existing adversarial training methods. Therefore, we propose smoothing adversarial training (SAT) to improve the robustness of GNNs. In particular, we analytically investigate the robustness of graph convolutional network (GCN), one of the classic GNNs, and propose two smooth defensive strategies: smoothing distillation and smoothing cross-entropy loss function. Both of them smooth the gradients of GCN and, consequently, reduce the amplitude of adversarial gradients, benefiting gradient masking from attackers in both global attack and target label node attack. The comprehensive experiments on five real-world networks testify that the proposed SAT method shows state-of-the-art defensibility against different adversarial attacks on node classification and community detection. Especially, the average attack success rate of different attack methods can be decreased by about 40% by SAT at the cost of tolerable embedding performance decline of the original network.