Self-Progressing Robust Training

TL;DR

SPROUT introduces a scalable, attack-independent robust training framework that progressively adjusts label smoothing during training, outperforming traditional adversarial methods in robustness and scalability.

Contribution

The paper proposes SPROUT, a novel self-progressing robust training method that eliminates attack generation and improves scalability while maintaining high robustness.

Findings

SPROUT outperforms PGD-l_inf and TRADES in robustness tests.

SPROUT is more scalable to large neural networks.

SPROUT achieves superior robustness without explicit attack generation.

Abstract

Enhancing model robustness under new and even adversarial environments is a crucial milestone toward building trustworthy machine learning systems. Current robust training methods such as adversarial training explicitly uses an "attack" (e.g., $\ell_{\infty}$-norm bounded perturbation) to generate adversarial examples during model training for improving adversarial robustness. In this paper, we take a different perspective and propose a new framework called SPROUT, self-progressing robust training. During model training, SPROUT progressively adjusts training label distribution via our proposed parametrized label smoothing technique, making training free of attack generation and more scalable. We also motivate SPROUT using a general formulation based on vicinity risk minimization, which includes many robust training methods as special cases. Compared with state-of-the-art adversarial training methods (PGD-l_inf and TRADES) under l_inf-norm bounded attacks and various invariance tests, SPROUT consistently attains superior performance and is more scalable to large neural networks. Our results shed new light on scalable, effective and attack-independent robust training methods.