Towards Understanding Fast Adversarial Training

TL;DR

This paper investigates the mechanisms behind fast adversarial training, revealing how it recovers from overfitting to weak attacks, and proposes improvements that enhance robustness while significantly reducing training time.

Contribution

The paper provides a detailed analysis of fast adversarial training's behavior and introduces enhancements that outperform traditional methods in robustness and efficiency.

Findings

Fast adversarial training can recover from overfitting to weak attacks.

Improved methods achieve higher robust accuracy than strong adversarial training.

Training time is significantly reduced with the proposed improvements.

Abstract

Current neural-network-based classifiers are susceptible to adversarial examples. The most empirically successful approach to defending against such adversarial examples is adversarial training, which incorporates a strong self-attack during training to enhance its robustness. This approach, however, is computationally expensive and hence is hard to scale up. A recent work, called fast adversarial training, has shown that it is possible to markedly reduce computation time without sacrificing significant performance. This approach incorporates simple self-attacks, yet it can only run for a limited number of training epochs, resulting in sub-optimal performance. In this paper, we conduct experiments to understand the behavior of fast adversarial training and show the key to its success is the ability to recover from overfitting to weak attacks. We then extend our findings to improve fast adversarial training, demonstrating superior robust accuracy to strong adversarial training, with much-reduced training time.