Revisiting Adversarial Robustness Distillation: Robust Soft Labels Make Student Better

TL;DR

This paper introduces RSLAD, a novel method that uses robust soft labels from large adversarially trained models to significantly improve the robustness of small neural networks against adversarial attacks.

Contribution

The paper proposes RSLAD, a new adversarial robustness distillation technique leveraging robust soft labels to enhance small model robustness, outperforming existing methods.

Findings

RSLAD improves small model robustness against state-of-the-art attacks.

Robust soft labels are crucial for effective adversarial robustness distillation.

RSLAD outperforms existing adversarial training and distillation methods.

Abstract

Adversarial training is one effective approach for training robust deep neural networks against adversarial attacks. While being able to bring reliable robustness, adversarial training (AT) methods in general favor high capacity models, i.e., the larger the model the better the robustness. This tends to limit their effectiveness on small models, which are more preferable in scenarios where storage or computing resources are very limited (e.g., mobile devices). In this paper, we leverage the concept of knowledge distillation to improve the robustness of small models by distilling from adversarially trained large models. We first revisit several state-of-the-art AT methods from a distillation perspective and identify one common technique that can lead to improved robustness: the use of robust soft labels -- predictions of a robust model. Following this observation, we propose a novel adversarial robustness distillation method called Robust Soft Label Adversarial Distillation (RSLAD) to train robust small student models. RSLAD fully exploits the robust soft labels produced by a robust (adversarially-trained) large teacher model to guide the student's learning on both natural and adversarial examples in all loss terms. We empirically demonstrate the effectiveness of our RSLAD approach over existing adversarial training and distillation methods in improving the robustness of small models against state-of-the-art attacks including the AutoAttack. We also provide a set of understandings on our RSLAD and the importance of robust soft labels for adversarial robustness distillation.