Initializing Perturbations in Multiple Directions for Fast Adversarial
Training
- URL: http://arxiv.org/abs/2005.07606v2
- Date: Mon, 25 Jan 2021 07:59:28 GMT
- Title: Initializing Perturbations in Multiple Directions for Fast Adversarial
Training
- Authors: Xunguang Wang, Ship Peng Xu, and Eric Ke Wang
- Abstract summary: In image classification, an adversarial example can fool the well trained deep neural networks by adding barely imperceptible perturbations to clean images.
Adversarial Training, one of the most direct and effective methods, minimizes the losses of perturbed-data.
We propose the Diversified Initialized Perturbations Adversarial Training (DIP-FAT)
- Score: 1.8638865257327277
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Recent developments in the filed of Deep Learning have demonstrated that Deep
Neural Networks(DNNs) are vulnerable to adversarial examples. Specifically, in
image classification, an adversarial example can fool the well trained deep
neural networks by adding barely imperceptible perturbations to clean images.
Adversarial Training, one of the most direct and effective methods, minimizes
the losses of perturbed-data to learn robust deep networks against adversarial
attacks. It has been proven that using the fast gradient sign method (FGSM) can
achieve Fast Adversarial Training. However, FGSM-based adversarial training may
finally obtain a failed model because of overfitting to FGSM samples. In this
paper, we proposed the Diversified Initialized Perturbations Adversarial
Training (DIP-FAT) which involves seeking the initialization of the
perturbation via enlarging the output distances of the target model in a random
directions. Due to the diversity of random directions, the embedded fast
adversarial training using FGSM increases the information from the adversary
and reduces the possibility of overfitting. In addition to preventing
overfitting, the extensive results show that our proposed DIP-FAT technique can
also improve the accuracy of the clean data. The biggest advantage of DIP-FAT
method: achieving the best banlance among clean-data, perturbed-data and
efficiency.
Related papers
- Adversarial training with informed data selection [53.19381941131439]
Adrial training is the most efficient solution to defend the network against these malicious attacks.
This work proposes a data selection strategy to be applied in the mini-batch training.
The simulation results show that a good compromise can be obtained regarding robustness and standard accuracy.
arXiv Detail & Related papers (2023-01-07T12:09:50Z) - Distributed Adversarial Training to Robustify Deep Neural Networks at
Scale [100.19539096465101]
Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification.
To defend against such attacks, an effective approach, known as adversarial training (AT), has been shown to mitigate robust training.
We propose a large-batch adversarial training framework implemented over multiple machines.
arXiv Detail & Related papers (2022-06-13T15:39:43Z) - Adversarial Unlearning: Reducing Confidence Along Adversarial Directions [88.46039795134993]
We propose a complementary regularization strategy that reduces confidence on self-generated examples.
The method, which we call RCAD, aims to reduce confidence on out-of-distribution examples lying along directions adversarially chosen to increase training loss.
Despite its simplicity, we find on many classification benchmarks that RCAD can be added to existing techniques to increase test accuracy by 1-3% in absolute value.
arXiv Detail & Related papers (2022-06-03T02:26:24Z) - $\ell_\infty$-Robustness and Beyond: Unleashing Efficient Adversarial
Training [11.241749205970253]
We show how selecting a small subset of training data provides a more principled approach towards reducing the time complexity of robust training.
Our approach speeds up adversarial training by 2-3 times, while experiencing a small reduction in the clean and robust accuracy.
arXiv Detail & Related papers (2021-12-01T09:55:01Z) - Boosting Fast Adversarial Training with Learnable Adversarial
Initialization [79.90495058040537]
Adrial training (AT) has been demonstrated to be effective in improving model robustness by leveraging adversarial examples for training.
To boost training efficiency, fast gradient sign method (FGSM) is adopted in fast AT methods by calculating gradient only once.
arXiv Detail & Related papers (2021-10-11T05:37:00Z) - Guided Interpolation for Adversarial Training [73.91493448651306]
As training progresses, the training data becomes less and less attackable, undermining the robustness enhancement.
We propose the guided framework (GIF), which employs the previous epoch's meta information to guide the data's adversarial variants.
Compared with the vanilla mixup, the GIF can provide a higher ratio of attackable data, which is beneficial to the robustness enhancement.
arXiv Detail & Related papers (2021-02-15T03:55:08Z) - Robust Single-step Adversarial Training with Regularizer [11.35007968593652]
We propose a novel Fast Gradient Sign Method with PGD Regularization (FGSMPR) to boost the efficiency of adversarial training without catastrophic overfitting.
Experiments demonstrate that our proposed method can train a robust deep network for L$_infty$-perturbations with FGSM adversarial training.
arXiv Detail & Related papers (2021-02-05T19:07:10Z) - A Simple Fine-tuning Is All You Need: Towards Robust Deep Learning Via
Adversarial Fine-tuning [90.44219200633286]
We propose a simple yet very effective adversarial fine-tuning approach based on a $textitslow start, fast decay$ learning rate scheduling strategy.
Experimental results show that the proposed adversarial fine-tuning approach outperforms the state-of-the-art methods on CIFAR-10, CIFAR-100 and ImageNet datasets.
arXiv Detail & Related papers (2020-12-25T20:50:15Z) - Towards Rapid and Robust Adversarial Training with One-Step Attacks [0.0]
Adversarial training is the most successful method for increasing the robustness of neural networks against adversarial attacks.
We present two ideas that enable adversarial training with the computationally less expensive Fast Gradient Sign Method.
We show that noise injection in conjunction with FGSM-based adversarial training achieves comparable results to adversarial training with PGD while being considerably faster.
arXiv Detail & Related papers (2020-02-24T07:28:43Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.