Adversarial Examples Improve Image Recognition

TL;DR

This paper introduces AdvProp, a novel adversarial training method that uses adversarial examples to enhance image recognition models by preventing overfitting and achieving state-of-the-art results on ImageNet.

Contribution

AdvProp is the first adversarial training scheme that treats adversarial examples as additional data with separate batch normalization, improving model accuracy and robustness.

Findings

AdvProp improves various models on multiple image recognition benchmarks.

Applying AdvProp to EfficientNet-B7 yields significant accuracy gains.

Enhanced EfficientNet-B8 achieves 85.5% top-1 accuracy on ImageNet, surpassing larger models.

Abstract

Adversarial examples are commonly viewed as a threat to ConvNets. Here we present an opposite perspective: adversarial examples can be used to improve image recognition models if harnessed in the right manner. We propose AdvProp, an enhanced adversarial training scheme which treats adversarial examples as additional examples, to prevent overfitting. Key to our method is the usage of a separate auxiliary batch norm for adversarial examples, as they have different underlying distributions to normal examples. We show that AdvProp improves a wide range of models on various image recognition tasks and performs better when the models are bigger. For instance, by applying AdvProp to the latest EfficientNet-B7 [28] on ImageNet, we achieve significant improvements on ImageNet (+0.7%), ImageNet-C (+6.5%), ImageNet-A (+7.0%), Stylized-ImageNet (+4.8%). With an enhanced EfficientNet-B8, our method achieves the state-of-the-art 85.5% ImageNet top-1 accuracy without extra data. This result even surpasses the best model in [20] which is trained with 3.5B Instagram images (~3000X more than ImageNet) and ~9.4X more parameters. Models are available at https://github.com/tensorflow/tpu/tree/master/models/official/efficientnet.