Toward Few-step Adversarial Training from a Frequency Perspective

TL;DR

This paper introduces Spectral Projected Gradient Descent (SPGD), a frequency domain extension of PGD, which improves early attack success and adversarial training efficiency, and analyzes its properties and effects on perturbation characteristics.

Contribution

The paper extends PGD to the frequency domain with SPGD, demonstrating improved early attack success and training efficiency, and provides theoretical analysis linking SPGD to a PGD variant.

Findings

SPGD outperforms PGD in early attack success rate.

Adversarial training with SPGD yields higher robustness with fewer steps.

SPGD perturbations involve both high and low-frequency components.

Abstract

We investigate adversarial-sample generation methods from a frequency domain perspective and extend standard $l_{\infty}$ Projected Gradient Descent (PGD) to the frequency domain. The resulting method, which we call Spectral Projected Gradient Descent (SPGD), has better success rate compared to PGD during early steps of the method. Adversarially training models using SPGD achieves greater adversarial accuracy compared to PGD when holding the number of attack steps constant. The use of SPGD can, therefore, reduce the overhead of adversarial training when utilizing adversarial generation with a smaller number of steps. However, we also prove that SPGD is equivalent to a variant of the PGD ordinarily used for the $l_{\infty}$ threat model. This PGD variant omits the sign function which is ordinarily applied to the gradient. SPGD can, therefore, be performed without explicitly transforming into the frequency domain. Finally, we visualize the perturbations SPGD generates and find they use both high and low-frequency components, which suggests that removing either high-frequency components or low-frequency components is not an effective defense.