Go to ICLR 2022 Conference homepageNoisy Adversarial Training
Keywords: Adversarial Training, Adversarial, Adversarial Defence, Decision Space
Abstract: In image classification, data augmentation and the usage of additional data has been shown to increase the efficiency of clean training and the accuracy of the resulting model. However, this does not prevent models from being fooled by adversarial manipulations. To increase the robustness, Adversarial Training (AT) is an easy, yet effective and widely used method to harden neural networks against adversarial inputs. Still, AT is computationally expensive and inefficient in that way, that only one adversarial input per sample of the current batch is created. We propose Noisy Adversarial Training (N-AT), which, for the first time, combines data augmentation in the decision space and adversarial training. By adding random noise to the original adversarial output vector, we create multiple pseudo adversarial instances, thus increasing the data pool for adversarial training. We show that this general idea is applicable to two different learning paradigms, i.e., supervised and self-supervised learning. Using N-AT instead of AT, we can increase the robustness relatively by 1.06\% for small seen attacks. For larger seen attacks, the relative gain in robustness increases up to 89.26\%. When combining a larger corpus of input data with our proposed method, we report an increase of the clean accuracy and for all observed attacks, compared to AT. In self-supervised training, we observe a similar increase in robust accuracy for seen attacks and large unseen attacks, when it comes to the downstream task of image classification. In addition, when the pretrained model is finetuned, we also report a relative gain in clean accuracy between 0.5\% and 1.11\%.
One-sentence Summary: Increasing the efficiency of adversarial training by data augmentation in the decision space
Supplementary Material: zip
5 Replies
Loading