Bag of Tricks for FGSM Adversarial Training
- URL: http://arxiv.org/abs/2209.02684v1
- Date: Tue, 6 Sep 2022 17:53:21 GMT
- Title: Bag of Tricks for FGSM Adversarial Training
- Authors: Zichao Li, Li Liu, Zeyu Wang, Yuyin Zhou, Cihang Xie
- Abstract summary: Adversarial training (AT) with samples generated by Fast Gradient Sign Method (FGSM), also known as FGSM-AT, is a computationally simple method to train robust networks.
During its training procedure, an unstable mode of "catastrophic overfitting" has been identified in arXiv:2001.03994 [cs.LG], where the robust accuracy abruptly drops to zero within a single training step.
In this work, we provide the first study, which thoroughly examines a collection of tricks to overcome the catastrophic overfitting in FGSM-AT.
- Score: 30.25966570584856
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Adversarial training (AT) with samples generated by Fast Gradient Sign Method
(FGSM), also known as FGSM-AT, is a computationally simple method to train
robust networks. However, during its training procedure, an unstable mode of
"catastrophic overfitting" has been identified in arXiv:2001.03994 [cs.LG],
where the robust accuracy abruptly drops to zero within a single training step.
Existing methods use gradient regularizers or random initialization tricks to
attenuate this issue, whereas they either take high computational cost or lead
to lower robust accuracy. In this work, we provide the first study, which
thoroughly examines a collection of tricks from three perspectives: Data
Initialization, Network Structure, and Optimization, to overcome the
catastrophic overfitting in FGSM-AT.
Surprisingly, we find that simple tricks, i.e., a) masking partial pixels
(even without randomness), b) setting a large convolution stride and smooth
activation functions, or c) regularizing the weights of the first convolutional
layer, can effectively tackle the overfitting issue. Extensive results on a
range of network architectures validate the effectiveness of each proposed
trick, and the combinations of tricks are also investigated. For example,
trained with PreActResNet-18 on CIFAR-10, our method attains 49.8% accuracy
against PGD-50 attacker and 46.4% accuracy against AutoAttack, demonstrating
that pure FGSM-AT is capable of enabling robust learners. The code and models
are publicly available at
https://github.com/UCSC-VLAA/Bag-of-Tricks-for-FGSM-AT.
Related papers
- Improved techniques for deterministic l2 robustness [63.34032156196848]
Training convolutional neural networks (CNNs) with a strict 1-Lipschitz constraint under the $l_2$ norm is useful for adversarial robustness, interpretable gradients and stable training.
We introduce a procedure to certify robustness of 1-Lipschitz CNNs by replacing the last linear layer with a 1-hidden layer.
We significantly advance the state-of-the-art for standard and provable robust accuracies on CIFAR-10 and CIFAR-100.
arXiv Detail & Related papers (2022-11-15T19:10:12Z) - Prior-Guided Adversarial Initialization for Fast Adversarial Training [84.56377396106447]
We investigate the difference between the training processes of adversarial examples (AEs) of Fast adversarial training (FAT) and standard adversarial training (SAT)
We observe that the attack success rate of adversarial examples (AEs) of FAT gets worse gradually in the late training stage, resulting in overfitting.
Based on the observation, we propose a prior-guided FGSM initialization method to avoid overfitting.
The proposed method can prevent catastrophic overfitting and outperform state-of-the-art FAT methods.
arXiv Detail & Related papers (2022-07-18T18:13:10Z) - Fast Adversarial Training with Adaptive Step Size [62.37203478589929]
We study the phenomenon from the perspective of training instances.
We propose a simple but effective method, Adversarial Training with Adaptive Step size (ATAS)
ATAS learns an instancewise adaptive step size that is inversely proportional to its gradient norm.
arXiv Detail & Related papers (2022-06-06T08:20:07Z) - Efficient Few-Shot Object Detection via Knowledge Inheritance [62.36414544915032]
Few-shot object detection (FSOD) aims at learning a generic detector that can adapt to unseen tasks with scarce training samples.
We present an efficient pretrain-transfer framework (PTF) baseline with no computational increment.
We also propose an adaptive length re-scaling (ALR) strategy to alleviate the vector length inconsistency between the predicted novel weights and the pretrained base weights.
arXiv Detail & Related papers (2022-03-23T06:24:31Z) - Boosting Fast Adversarial Training with Learnable Adversarial
Initialization [79.90495058040537]
Adrial training (AT) has been demonstrated to be effective in improving model robustness by leveraging adversarial examples for training.
To boost training efficiency, fast gradient sign method (FGSM) is adopted in fast AT methods by calculating gradient only once.
arXiv Detail & Related papers (2021-10-11T05:37:00Z) - Training Sparse Neural Networks using Compressed Sensing [13.84396596420605]
We develop and test a novel method based on compressed sensing which combines the pruning and training into a single step.
Specifically, we utilize an adaptively weighted $ell1$ penalty on the weights during training, which we combine with a generalization of the regularized dual averaging (RDA) algorithm in order to train sparse neural networks.
arXiv Detail & Related papers (2020-08-21T19:35:54Z) - Fast is better than free: Revisiting adversarial training [86.11788847990783]
We show that it is possible to train empirically robust models using a much weaker and cheaper adversary.
We identify a failure mode referred to as "catastrophic overfitting" which may have caused previous attempts to use FGSM adversarial training to fail.
arXiv Detail & Related papers (2020-01-12T20:30:22Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.