Minhao Cheng,Qi Lei,Pin-Yu Chen,Inderjit Dhillon,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.2002.06789

2020-02-17

Abstract:Adversarial training has become one of the most effective methods for improving robustness of neural networks. However, it often suffers from poor generalization on both clean and perturbed data. In this paper, we propose a new algorithm, named Customized Adversarial Training (CAT), which adaptively customizes the perturbation level and the corresponding label for each training sample in adversarial training. We show that the proposed algorithm achieves better clean and robust accuracy than previous adversarial training methods through extensive experiments.

Machine Learning

Xingbin Liu,Huafeng Kuang,Xianming Lin,Yongjian Wu,Rongrong Ji

DOI: https://doi.org/10.48550/arxiv.2303.14922

2023-01-01

Abstract:Adversarial training can improve the robustness of neural networks. Previous methods focus on a single adversarial training strategy and do not consider the model property trained by different strategies. By revisiting the previous methods, we find different adversarial training methods have distinct robustness for sample instances. For example, a sample instance can be correctly classified by a model trained using standard adversarial training (AT) but not by a model trained using TRADES, and vice versa. Based on this observation, we propose a collaborative adversarial training framework to improve the robustness of neural networks. Specifically, we use different adversarial training methods to train robust models and let models interact with their knowledge during the training process. Collaborative Adversarial Training (CAT) can improve both robustness and accuracy. Extensive experiments on various networks and datasets validate the effectiveness of our method. CAT achieves state-of-the-art adversarial robustness without using any additional data on CIFAR-10 under the Auto-Attack benchmark. Code is available at https://github.com/liuxingbin/CAT.

Xingbin Liu,Huafeng Kuang,Xianming Lin,Yongjian Wu,Rongrong Ji

DOI: https://doi.org/10.48550/arXiv.2303.14922

2023-03-27

Abstract:Adversarial training can improve the robustness of neural networks. Previous methods focus on a single adversarial training strategy and do not consider the model property trained by different strategies. By revisiting the previous methods, we find different adversarial training methods have distinct robustness for sample instances. For example, a sample instance can be correctly classified by a model trained using standard adversarial training (AT) but not by a model trained using TRADES, and vice versa. Based on this observation, we propose a collaborative adversarial training framework to improve the robustness of neural networks. Specifically, we use different adversarial training methods to train robust models and let models interact with their knowledge during the training process. Collaborative Adversarial Training (CAT) can improve both robustness and accuracy. Extensive experiments on various networks and datasets validate the effectiveness of our method. CAT achieves state-of-the-art adversarial robustness without using any additional data on CIFAR-10 under the Auto-Attack benchmark. Code is available at <a class="link-external link-https" href="https://github.com/liuxingbin/CAT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Yaguan Qian,Xiaoyu Liang,Ming Kang,Bin Wang,Zhaoquan Gu,Xing Wang,Chunming Wu

DOI: https://doi.org/10.1142/s0218001422510156

IF: 1.261

2022-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:Adversarial training is by far one of the most effective methods to improve the robustness of deep neural networks against adversarial examples. However, the trade-off between robustness and accuracy is still a challenge in adversarial training. Previous methods used adversarial examples with a fixed perturbation budget or specific perturbation budgets for each example, which is inefficient in improving the trade-off and lacks the ability to control the trade-off flexibly. In this paper, we show that the largest element of logit, [Formula: see text], can roughly represent the minimum distance between an example and its neighboring decision boundary. Thus, we propose group adaptive adversarial training (GAAT) that divides the training dataset into several groups based on [Formula: see text] and develops a binary search algorithm to determine the group perturbation budgets for each group. Using the group perturbation budgets to perform adversarial training can fine-tune the trade-off between robustness and accuracy. Extensive experiments conducted on CIFAR-10 and ImageNet-30 show that our GAAT can achieve a more perfect trade-off than TRADES, MMA, and MART.

Lin Li,Michael Spratling

2023-03-27

Abstract:Deep neural networks can be easily fooled into making incorrect predictions through corruption of the input by adversarial perturbations: human-imperceptible artificial noise. So far adversarial training has been the most successful defense against such adversarial attacks. This work focuses on improving adversarial training to boost adversarial robustness. We first analyze, from an instance-wise perspective, how adversarial vulnerability evolves during adversarial training. We find that during training an overall reduction of adversarial loss is achieved by sacrificing a considerable proportion of training samples to be more vulnerable to adversarial attack, which results in an uneven distribution of adversarial vulnerability among data. Such "uneven vulnerability", is prevalent across several popular robust training methods and, more importantly, relates to overfitting in adversarial training. Motivated by this observation, we propose a new adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). It jointly smooths both input and weight loss landscapes in an adaptive, instance-specific, way to enhance robustness more for those samples with higher adversarial vulnerability. Extensive experiments demonstrate the superiority of our method over existing defense methods. Noticeably, our method, when combined with the latest data augmentation and semi-supervised learning techniques, achieves state-of-the-art robustness against $\ell_{\infty}$-norm constrained attacks on CIFAR10 of 59.32% for Wide ResNet34-10 without extra data, and 61.55% for Wide ResNet28-10 with extra data. Code is available at <a class="link-external link-https" href="https://github.com/TreeLLi/Instance-adaptive-Smoothness-Enhanced-AT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Mingyuan Fan,Yang Liu,Wenzhong Guo,Ximeng Liu,Jianhua Li

DOI: https://doi.org/10.48550/arxiv.2204.09398

2022-01-01

Abstract: The neural network (NN) becomes one of the most heated type of models in various signal processing applications. However, NNs are extremely vulnerable to adversarial examples (AEs). To defend AEs, adversarial training (AT) is believed to be the most effective method while due to the intensive computation, AT is limited to be applied in most applications. In this paper, to resolve the problem, we design a generic and efficient AT improvement scheme, namely case-aware adversarial training (CAT). Specifically, the intuition stems from the fact that a very limited part of informative samples can contribute to most of model performance. Alternatively, if only the most informative AEs are used in AT, we can lower the computation complexity of AT significantly as maintaining the defense effect. To achieve this, CAT achieves two breakthroughs. First, a method to estimate the information degree of adversarial examples is proposed for AE filtering. Second, to further enrich the information that the NN can obtain from AEs, CAT involves a weight estimation and class-level balancing based sampling strategy to increase the diversity of AT at each iteration. Extensive experiments show that CAT is faster than vanilla AT by up to 3x while achieving competitive defense effect.

Xianxu Hou,Jingxin Liu,Bolei Xu,Xiaolong Wang,Bozhi Liu,Guoping Qiu

DOI: https://doi.org/10.1016/j.imavis.2020.103926

IF: 3.86

2020-07-01

Image and Vision Computing

Abstract:<p>Recent works have demonstrated convolutional neural networks are vulnerable to adversarial examples, i.e., inputs to machine learning models that an attacker has intentionally designed to cause the models to make a mistake. To improve the adversarial robustness of neural networks, adversarial training has been proposed to train networks by injecting adversarial examples into the training data. However, adversarial training could overfit to a specific type of adversarial attack and also lead to standard accuracy drop on clean images. To this end, we propose a novel Class-Aware Domain Adaptation (CADA) method for adversarial defense without directly applying adversarial training. Specifically, we propose to learn domain-invariant features for adversarial examples and clean images via a domain discriminator. Furthermore, we introduce a class-aware component into the discriminator to increase the discriminative power of the network for adversarial examples. We evaluate our newly proposed approach using multiple benchmark datasets. The results demonstrate that our method can significantly improve the state-of-the-art of adversarial robustness for various attacks and maintain high performances on clean images.</p>

Jiahong Chen,Zhilin Zhang,Lucy Li,Behzad Shahrasbi,Arjun Mishra

2024-07-18

Abstract:Domain adversarial training has shown its effective capability for finding domain invariant feature representations and been successfully adopted for various domain adaptation tasks. However, recent advances of large models (e.g., vision transformers) and emerging of complex adaptation scenarios (e.g., DomainNet) make adversarial training being easily biased towards source domain and hardly adapted to target domain. The reason is twofold: relying on large amount of labelled data from source domain for large model training and lacking of labelled data from target domain for fine-tuning. Existing approaches widely focused on either enhancing discriminator or improving the training stability for the backbone networks. Due to unbalanced competition between the feature extractor and the discriminator during the adversarial training, existing solutions fail to function well on complex datasets. To address this issue, we proposed a novel contrastive adversarial training (CAT) approach that leverages the labeled source domain samples to reinforce and regulate the feature generation for target domain. Typically, the regulation forces the target feature distribution being similar to the source feature distribution. CAT addressed three major challenges in adversarial learning: 1) ensure the feature distributions from two domains as indistinguishable as possible for the discriminator, resulting in a more robust domain-invariant feature generation; 2) encourage target samples moving closer to the source in the feature space, reducing the requirement for generalizing classifier trained on the labeled source domain to unlabeled target domain; 3) avoid directly aligning unpaired source and target samples within mini-batch. CAT can be easily plugged into existing models and exhibits significant performance improvements.

Machine Learning,Computer Vision and Pattern Recognition

Lirong He,Qingzhong Ai,Xincheng Yang,Yazhou Ren,Qifan Wang,Zenglin Xu

DOI: https://doi.org/10.1016/j.neunet.2023.08.063

IF: 7.8

2023-01-01

Neural Networks

Abstract:Adversarial training is considered one of the most effective methods to improve the adversarial robustness of deep neural networks. Despite the success, it still suffers from unsatisfactory performance and overfitting. Considering the intrinsic mechanism of adversarial training, recent studies adopt the idea of curriculum learning to alleviate overfitting. However, this also introduces new issues, that is, lacking the quantitative criterion for attacks' strength and catastrophic forgetting. To mitigate such issues, we propose the self-paced adversarial training (SPAT), which explicitly builds the learning process of adversarial training based on adversarial examples of the whole dataset. Specifically, our model is first trained with "easy"adversarial examples, and then is continuously enhanced by gradually adding "complex"adversarial examples. This way strengthens the ability to fit "complex"adversarial examples while holding in mind "easy"adversarial samples. To balance adversarial examples between classes, we determine the difficulty of the adversarial examples locally in each class. Notably, this learning paradigm can also be incorporated into other advanced methods for further boosting adversarial robustness. Experimental results show the effectiveness of our proposed model against various attacks on widely-used benchmarks. Especially, on CIFAR100, SPAT provides a boost of 1.7% (relatively 5.4%) in robust accuracy on the PGD10 attack and 3.9% (relatively 7.2%) in natural accuracy for AWP. (c) 2023 Elsevier Ltd. All rights reserved.

Shuai Zhao,Shibin Liu,Boyuan Zhang,Yang Zhai,Ziyi Liu,Yahong Han

DOI: https://doi.org/10.1109/icme57554.2024.10688077

2024-01-01

Abstract:The adversarial examples have demonstrated the vulnerability of machine learning models. While the data augmentation strategy has been a cornerstone in circumventing overfitting within the realm of standard training paradigms, the prior research has proved the limited efficiency of data augmentation in ameliorating overfitting concerns, specifically within the scope of adversarial training. In this work, we have shown that a data augmentation strategy could enhance the generalization of adversarial training. Our framework, Adversarial Denoising-based Training(ADT), first utilizes the adversarial denoising strategy to improve the generalization of adversarial training. Specifically, we use patch-wise adversarial denoising as a data augmentation strategy to boost the robustness of adversarial training. We have evaluated our method on the MNIST, CIFAR-10, Tiny-ImageNet, and GTSRB datasets. The result shows that our framework could successfully improve the adversarial robustness of models against both digital and physical adversarial examples.

Yun Zhang,Hongwei Li,Guowen Xu,Shuai Yuan,Xiaoming Huang

DOI: https://doi.org/10.1007/s12083-021-01178-3

2021-06-07

Abstract:Adversarial training has become one of the most widely used methods to defense the attack of adversarial examples, since its properties of improving the robustness of neural networks. To achieve this, many representative works have been proposed to optimize the hyper-parameters in the adversarial training, so as to obtain the optimal trade-off between model classification accuracy and robustness. However, existing works are still in its infancy, especially in terms of model accuracy and training efficiency. In this paper, we propose Specific Adversarial Training(SAT), a novel framework to solve this challenge. Specifically, SAT improves the process of adversarial training by crafting specific perturbation and label for each data point. With this, these generated samples can close and properly cross the decision boundary meanwhile obtain an ideal label, which performs a positive effects in adversarial training. Experimental results show that our method can achieve 88.62% natural accuracy while the adversarial accuracy also improve from 43.79% to 52.34% in the CIFAR-10 dataset. Meanwhile, we achieve a higher efficiency compared to prior works.

computer science, information systems,telecommunications

Zeming Wei,Yifei Wang,Yiwen Guo,Yisen Wang

2023-03-25

Abstract:Adversarial training has been widely acknowledged as the most effective method to improve the adversarial robustness against adversarial examples for Deep Neural Networks (DNNs). So far, most existing works focus on enhancing the overall model robustness, treating each class equally in both the training and testing phases. Although revealing the disparity in robustness among classes, few works try to make adversarial training fair at the class level without sacrificing overall robustness. In this paper, we are the first to theoretically and empirically investigate the preference of different classes for adversarial configurations, including perturbation margin, regularization, and weight averaging. Motivated by this, we further propose a \textbf{C}lass-wise calibrated \textbf{F}air \textbf{A}dversarial training framework, named CFA, which customizes specific training configurations for each class automatically. Experiments on benchmark datasets demonstrate that our proposed CFA can improve both overall robustness and fairness notably over other state-of-the-art methods. Code is available at \url{<a class="link-external link-https" href="https://github.com/PKU-ML/CFA" rel="external noopener nofollow">this https URL</a>}.

Machine Learning,Computer Vision and Pattern Recognition

Xuanwei Lin,Ximeng Liu,Bijia Chen,Yuyang Wang,Chen Dong,Pengzhen Hu

DOI: https://doi.org/10.1109/jiot.2023.3300300

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Active learning (AL) tries to maximize the model’s performance when the labeled dataset is limited, and the annotation cost is high. Although it can be efficiently implemented in deep neural networks (DNNs), it is questionable whether the model can maintain the ability to generalize well when there are significant distributional deviations between the labeled and unlabeled datasets. In this paper, we consider introducing adversarial training and adversarial samples into active learning to mitigate the problem of degraded generalization performance due to different data distributions. In particular, our proposed adversarial training active learning (ATAL) has two advantages, and one is that adversarial training by different networks enables the network to have better prediction performance and robustness with limited labeled samples. And the other is that the adversarial samples generated by the adversarial training can effectively expand the labeled dataset so that the designed query function can efficiently select the most informative unlabeled samples based on the expanded labeled dataset. Extensive experiments have been performed to verify the feasibility and efficiency of our proposed method, i.e., CIFAR-10 demonstrates the effectiveness of our method — new state-of-the-art robustness and accuracy are achieved.

Zhenyu Liu,Haoran Duan,Huizhi Liang,Yang Long,Vaclav Snasel,Guiseppe Nicosia,Rajiv Ranjan,Varun Ojha

2024-08-23

Abstract:Adversarial training is one of the most effective methods for enhancing model robustness. Recent approaches incorporate adversarial distillation in adversarial training architectures. However, we notice two scenarios of defense methods that limit their performance: (1) Previous methods primarily use static ground truth for adversarial training, but this often causes robust overfitting; (2) The loss functions are either Mean Squared Error or KL-divergence leading to a sub-optimal performance on clean accuracy. To solve those problems, we propose a dynamic label adversarial training (DYNAT) algorithm that enables the target model to gradually and dynamically gain robustness from the guide model's decisions. Additionally, we found that a budgeted dimension of inner optimization for the target model may contribute to the trade-off between clean accuracy and robust accuracy. Therefore, we propose a novel inner optimization method to be incorporated into the adversarial training. This will enable the target model to adaptively search for adversarial examples based on dynamic labels from the guiding model, contributing to the robustness of the target model. Extensive experiments validate the superior performance of our approach.

Machine Learning,Computer Vision and Pattern Recognition

Yulong Wang,Tong Sun,Xin Yuan,Shenghong Li,Wei Ni

DOI: https://doi.org/10.1109/tifs.2024.3474973

IF: 7.231

2024-10-22

IEEE Transactions on Information Forensics and Security

Abstract:Training deep neural networks (DNNs) with altered data, known as adversarial training, is essential for improving their robustness. A significant challenge emerges as the robustness strengthened during training often diminishes during inference, resulting in drops in robust pronounced accuracy. Contemporary strategies either necessitate excessively large training data or risk compromising the natural accuracy of non-adversarial images. Our analysis identifies that the inherent vulnerability of DNNs to adversarial attacks stems from certain input space segments that are inadequately populated by training data, leading to decision-making voids with incorrect predictions. The minimum number of training samples required for successful adversarial training can be attained by maximizing the representativeness of the samples. In light of this, we put forth an advanced training data augmentation method anchored on a Generative Adversarial Network. The generated samples are evaluated by the image classifier during training and selected based on their confidence scores. Evaluations on public datasets, such as Tiny-ImageNet, MS COCO, and CIFAR-100, using various deep neural networks (DNNs), including Vision Transformer, MobileNet, and WideResNet, under recent attacks like DifAttack, SQBA, and AutoAttack, confirm that our method significantly enhances the adversarial robustness of DNN image classifiers. Our method outperforms state-of-the-art adversarial training methods by 35.66% on Tiny-ImageNet, 13.53% on MS COCO, and 13.06% on CIFAR-100.

computer science, theory & methods,engineering, electrical & electronic

Mohamed elShehaby,Aditya Kotha,Ashraf Matrawy

2024-05-29

Abstract:Adversarial training enhances the robustness of Machine Learning (ML) models against adversarial attacks. However, obtaining labeled training and adversarial training data in network/cybersecurity domains is challenging and costly. Therefore, this letter introduces Adaptive Continuous Adversarial Training (ACAT), a method that integrates adversarial training samples into the model during continuous learning sessions using real-world detected adversarial data. Experimental results with a SPAM detection dataset demonstrate that ACAT reduces the time required for adversarial sample detection compared to traditional processes. Moreover, the accuracy of the under-attack ML-based SPAM filter increased from 69% to over 88% after just three retraining sessions.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

Yan Wang,Dongmei Zhang,Haiyang Zhang

DOI: https://doi.org/10.1007/978-3-031-20865-2_30

2022-01-01

Abstract:Adversarial Training (AT) is one of the most effective defense methods against adversarial examples, in which a model is trained on both clean and adversarial examples. Although AT improves the robustness by smoothing the small neighborhood, it reduces accuracy on clean examples. We propose Weighted Adaptive Perturbation Adversarial Training (WAPAT) to reduce the loss of clean accuracy and improve robustness, which is motivated by the adaptive learning rate of the model optimizer. In the adversarial examples generation stage of adversarial training, We introduce weights based on feature changes to adaptively adjust the perturbation step size for different features. In iterative attacks, if a feature is frequently attacked, we increase the attack strength of this area, otherwise, we weaken the attack strength of this area. WAPAT is a data augmentation method that shortens the distance of adversarial examples to the classification boundary. The generated adversarial examples maintain good adversarial effects while retaining more clean examples information. Therefore, such adversarial examples can help us to obtain a more robust model while reducing the loss of recognition accuracy for clean examples. To demonstrate our method, we implement WAPAT in three adversarial training frameworks. Experimental results on CIFAR-10 and MNIST show thatWAPAT significantly improves adversarial robustness with less sacrifice of accuracy.

Bo Han,Chen Gong,Jun Yu,Mingming Gong,Tongliang Liu,Li Shen,Chaojian Yu

DOI: https://doi.org/10.48550/arXiv.2206.08675

2022-06-17

Abstract:Robust overfitting widely exists in adversarial training of deep networks. The exact underlying reasons for this are still not completely understood. Here, we explore the causes of robust overfitting by comparing the data distribution of \emph{non-overfit} (weak adversary) and \emph{overfitted} (strong adversary) adversarial training, and observe that the distribution of the adversarial data generated by weak adversary mainly contain small-loss data. However, the adversarial data generated by strong adversary is more diversely distributed on the large-loss data and the small-loss data. Given these observations, we further designed data ablation adversarial training and identify that some small-loss data which are not worthy of the adversary strength cause robust overfitting in the strong adversary mode. To relieve this issue, we propose \emph{minimum loss constrained adversarial training} (MLCAT): in a minibatch, we learn large-loss data as usual, and adopt additional measures to increase the loss of the small-loss data. Technically, MLCAT hinders data fitting when they become easy to learn to prevent robust overfitting; philosophically, MLCAT reflects the spirit of turning waste into treasure and making the best use of each adversarial data; algorithmically, we designed two realizations of MLCAT, and extensive experiments demonstrate that MLCAT can eliminate robust overfitting and further boost adversarial robustness.

Computer Science

Shibin Liu,Yahong Han

DOI: https://doi.org/10.1007/s00371-023-03057-9

2024-01-01

Abstract:Recent research has shown the vulnerability of deep networks to adversarial perturbations. Adversarial training and its variants have been shown to be effective defense algorithms against adversarial attacks, enhancing the defense abilities of deep neural networks by training them to fit adversarial examples. However, the significant computational burden of generating strong adversarial examples has rendered the process time-consuming, presenting a challenge for efficient training. In this paper, we propose adversarial training with robust area (ATRA), a highly efficient variant of adversarial training. We experimentally find that certain pixels in the image play a crucial role in improving robust accuracy, which we refer to the collection of discrete pixels as the high-robust area. Based on the robust area of the input instance, ATRA generates adversarial examples by applying an adaptive perturbation. Furthermore, we investigate the transferability of the high-robust area during the attack iteration process and experimentally demonstrate its effectiveness. Therefore, ATRA has the advantage of reducing the additional cost of generating strong adversarial examples while maintaining model robustness. Our experimental results on MNIST, CIFAR10, and TinyImageNet show that our method outperforms current state-of-the-art baselines with significantly less additional training time required, especially on MNIST where our method requires 18 × less training time. Furthermore, our method also achieves good performance under different adversarial attacks such as FGSM, CW, and AutoAttack.

Yishan Li,Yanming Guo,Yulun Wu,Yuxiang Xie,Mingrui Lao,Tianyuan Yu,Yirun Ruan

DOI: https://doi.org/10.1007/s13735-024-00330-y

2024-05-08

International Journal of Multimedia Information Retrieval

Abstract:Adversarial examples have exposed the inherent vulnerabilities of deep neural networks. Although adversarial training has emerged as the leading strategy for adversarial defenses, it is frequently hindered by a challenging balance between maintaining accuracy on unaltered examples and enhancing model robustness. Recent efforts on decoupling network components can effectively reduce the degradation of classification accuracy, but at the cost of an unsatisfactory in robust accuracy, and may suffer from robust overfitting. In this paper, we delve into the underlying causes of this compromise, and introduce a novel framework, the Regularized Decoupled Adversarial Training Mechanism (RDAT) to effectively deal with the trade-off and overfitting. Specifically, RDAT comprises two distinct modules: Regularization module mitigates harmful perturbations by controlling the data distribution distance of examples before and after adversarial attacks. Decoupling training module separates clean and adversarial examples so that they can have special optimization strategies to avoid the suboptimal result in adversarial training. With marginal compromise on the classification accuracy, RDAT achieves remarkably better model robustness with the improvement of robust accuracy by an average of 4.47% on CIFAR-10 and 3.23% on CIFAR-100 when compared to state-of-the-art methods.

computer science, artificial intelligence, software engineering