Fixing Data Augmentation to Improve Adversarial Robustness

TL;DR

This paper improves adversarial robustness by combining data augmentation with model weight averaging and leveraging generative models, achieving significant accuracy gains on CIFAR-10 without external data.

Contribution

It demonstrates that data augmentation, when combined with weight averaging, enhances adversarial robustness, and introduces the use of generative models to further improve performance.

Findings

Robust accuracy improved by +7.06% and +5.88% on CIFAR-10.

Achieved 64.20% robust accuracy against $ ext{l}_ ext{infty}$ perturbations without external data.

Data augmentation with generative models significantly boosts adversarial robustness.

Abstract

Adversarial training suffers from robust overfitting, a phenomenon where the robust test accuracy starts to decrease during training. In this paper, we focus on both heuristics-driven and data-driven augmentations as a means to reduce robust overfitting. First, we demonstrate that, contrary to previous findings, when combined with model weight averaging, data augmentation can significantly boost robust accuracy. Second, we explore how state-of-the-art generative models can be leveraged to artificially increase the size of the training set and further improve adversarial robustness. Finally, we evaluate our approach on CIFAR-10 against $\ell_\infty$ and $\ell_2$ norm-bounded perturbations of size $\epsilon = 8/255$ and $\epsilon = 128/255$, respectively. We show large absolute improvements of +7.06% and +5.88% in robust accuracy compared to previous state-of-the-art methods. In particular, against $\ell_\infty$ norm-bounded perturbations of size $\epsilon = 8/255$, our model reaches 64.20% robust accuracy without using any external data, beating most prior works that use external data.