Attacks Which Do Not Kill Training Make Adversarial Learning Stronger

TL;DR

This paper introduces friendly adversarial training (FAT), a novel method that improves adversarial robustness without sacrificing natural generalization by using less adversarial data through early stopping of PGD.

Contribution

The paper proposes FAT, a new adversarial training approach that employs less adversarial data, justified theoretically and validated empirically, challenging the trade-off between robustness and generalization.

Findings

FAT achieves robustness without harming natural accuracy.

Early-stopped PGD simplifies adversarial data generation.

Theoretical bounds support FAT's effectiveness.

Abstract

Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. However, it is conservative or even pessimistic so that it sometimes hurts the natural generalization. In this paper, we raise a fundamental question---do we have to trade off natural generalization for adversarial robustness? We argue that adversarial training is to employ confident adversarial data for updating the current model. We propose a novel approach of friendly adversarial training (FAT): rather than employing most adversarial data maximizing the loss, we search for least adversarial (i.e., friendly adversarial) data minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, early-stopped PGD allows us to answer the earlier question negatively---adversarial robustness can indeed be achieved without compromising the natural generalization.