Robust Local Features for Improving the Generalization of Adversarial Training

TL;DR

This paper introduces a novel method called RLFAT that enhances adversarial training by focusing on robust local features, significantly improving generalization to unseen data and aligning model perception with humans.

Contribution

The paper proposes RLFAT, a new approach that leverages robust local features through RBS transformation to improve adversarial training's generalization capabilities.

Findings

RLFAT improves adversarially robust and standard generalization on multiple datasets.

Models trained with RLFAT capture more local features aligned with human perception.

RLFAT enhances robustness against adversarial examples across state-of-the-art frameworks.

Abstract

Adversarial training has been demonstrated as one of the most effective methods for training robust models to defend against adversarial examples. However, adversarially trained models often lack adversarially robust generalization on unseen testing data. Recent works show that adversarially trained models are more biased towards global structure features. Instead, in this work, we would like to investigate the relationship between the generalization of adversarial training and the robust local features, as the robust local features generalize well for unseen shape variation. To learn the robust local features, we develop a Random Block Shuffle (RBS) transformation to break up the global structure features on normal adversarial examples. We continue to propose a new approach called Robust Local Features for Adversarial Training (RLFAT), which first learns the robust local features by adversarial training on the RBS-transformed adversarial examples, and then transfers the robust local features into the training of normal adversarial examples. To demonstrate the generality of our argument, we implement RLFAT in currently state-of-the-art adversarial training frameworks. Extensive experiments on STL-10, CIFAR-10 and CIFAR-100 show that RLFAT significantly improves both the adversarially robust generalization and the standard generalization of adversarial training. Additionally, we demonstrate that our models capture more local features of the object on the images, aligning better with human perception.