Revisiting and Improving FGSM Adversarial Training
Keywords: Small-scale features, FGSM adversarial training, Catastrophic overfitting
Abstract: FGSM adversarial training often fails to obtain a robust model, and the derived model often suffers from catastrophic overfitting, e.g., it is difficult to resist PGD attacks. In this paper, we found that the FGSM adversarial training model tends to rely on small-scale features, such as detail features, high-frequency features that are difficult for humans to recognize semantics, etc., while PGD adversarial training can effectively regularize the model's utilization of small-scale features. We discuss that excessive use of small-scale features will increase the local non-linearity of the model, making it difficult for the FGSM attack to generalize to the PGD attack. To address this issue, we propose to adjust the training set data, including removing small-scale features in the sample and adding random noise in the direction of small-scale features, so as to prevent the model from over-exploiting the small-scale features. Standard FGSM adversarial training on the adjusted training set is expected to circumvent the catastrophic overfitting problem. Experiments on real data validate the effectiveness of our method and make the FGSM adversarial trained models on CIFAR-10 and CIFAR-100 achieve robustness comparable to PGD adversarial training.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors’ identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Submission Guidelines: Yes
Please Choose The Closest Area That Your Submission Falls Into: Social Aspects of Machine Learning (eg, AI safety, fairness, privacy, interpretability, human-AI interaction, ethics)
Supplementary Material: zip
17 Replies
Loading