Curriculum Adversarial Training

TL;DR

This paper introduces curriculum adversarial training (CAT), a novel method that improves robustness of deep learning models against adversarial examples on complex datasets like CIFAR-10 and SVHN, while maintaining performance on normal inputs.

Contribution

The paper proposes curriculum adversarial training (CAT), which uses a curriculum of adversarial examples with varying strengths and techniques to mitigate forgetting and generalization issues, significantly enhancing robustness.

Findings

Improves empirical worst-case accuracy by 25% on CIFAR-10

Enhances robustness by 35% on SVHN

Maintains comparable performance on non-adversarial inputs

Abstract

Recently, deep learning has been applied to many security-sensitive applications, such as facial authentication. The existence of adversarial examples hinders such applications. The state-of-the-art result on defense shows that adversarial training can be applied to train a robust model on MNIST against adversarial examples; but it fails to achieve a high empirical worst-case accuracy on a more complex task, such as CIFAR-10 and SVHN. In our work, we propose curriculum adversarial training (CAT) to resolve this issue. The basic idea is to develop a curriculum of adversarial examples generated by attacks with a wide range of strengths. With two techniques to mitigate the forgetting and the generalization issues, we demonstrate that CAT can improve the prior art's empirical worst-case accuracy by a large margin of 25% on CIFAR-10 and 35% on SVHN. At the same, the model's performance on non-adversarial inputs is comparable to the state-of-the-art models.