Probabilistic Margins for Instance Reweighting in Adversarial Training

TL;DR

This paper introduces probabilistic margins as continuous, path-independent measures for reweighting adversarial data, leading to improved robustness in adversarial training.

Contribution

It proposes three novel probabilistic margins for data reweighting that are more reliable and effective than existing methods.

Findings

PM-based reweighting outperforms state-of-the-art methods

PMs are reliable and correlate with data safety

Experiments validate the effectiveness of the proposed approach

Abstract

Reweighting adversarial data during training has been recently shown to improve adversarial robustness, where data closer to the current decision boundaries are regarded as more critical and given larger weights. However, existing methods measuring the closeness are not very reliable: they are discrete and can take only a few values, and they are path-dependent, i.e., they may change given the same start and end points with different attack paths. In this paper, we propose three types of probabilistic margin (PM), which are continuous and path-independent, for measuring the aforementioned closeness and reweighting adversarial data. Specifically, a PM is defined as the difference between two estimated class-posterior probabilities, e.g., such the probability of the true label minus the probability of the most confusing label given some natural data. Though different PMs capture different geometric properties, all three PMs share a negative correlation with the vulnerability of data: data with larger/smaller PMs are safer/riskier and should have smaller/larger weights. Experiments demonstrate that PMs are reliable measurements and PM-based reweighting methods outperform state-of-the-art methods.