Subspace Adversarial Training

TL;DR

This paper introduces Subspace Adversarial Training (Sub-AT), a novel method that constrains adversarial training within a carefully extracted subspace to prevent overfitting and significantly improve robustness against strong attacks.

Contribution

The paper proposes a new adversarial training approach, Sub-AT, which controls gradient growth by constraining training in a subspace, effectively resolving overfitting and boosting robustness.

Findings

Achieves over 51% robust accuracy against PGD-50 attack on CIFAR-10.

Effectively prevents catastrophic overfitting in single-step adversarial training.

Provides state-of-the-art robustness with computational efficiency.

Abstract

Single-step adversarial training (AT) has received wide attention as it proved to be both efficient and robust. However, a serious problem of catastrophic overfitting exists, i.e., the robust accuracy against projected gradient descent (PGD) attack suddenly drops to 0% during the training. In this paper, we approach this problem from a novel perspective of optimization and firstly reveal the close link between the fast-growing gradient of each sample and overfitting, which can also be applied to understand robust overfitting in multi-step AT. To control the growth of the gradient, we propose a new AT method, Subspace Adversarial Training (Sub-AT), which constrains AT in a carefully extracted subspace. It successfully resolves both kinds of overfitting and significantly boosts the robustness. In subspace, we also allow single-step AT with larger steps and larger radius, further improving the robustness performance. As a result, we achieve state-of-the-art single-step AT performance. Without any regularization term, our single-step AT can reach over 51% robust accuracy against strong PGD-50 attack of radius 8/255 on CIFAR-10, reaching a competitive performance against standard multi-step PGD-10 AT with huge computational advantages. The code is released at https://github.com/nblt/Sub-AT.