On the Convergence and Robustness of Adversarial Training

TL;DR

This paper introduces a new criterion, FOSC, to evaluate the convergence of adversarial examples in training, and proposes a dynamic strategy that improves neural network robustness by adjusting adversarial example quality over training stages.

Contribution

It proposes FOSC as a novel measure for convergence quality in adversarial training and develops a dynamic training method that enhances robustness by controlling adversarial example quality.

Findings

FOSC effectively measures convergence quality of adversarial examples.

Using higher-quality adversarial examples later in training improves robustness.

The proposed dynamic strategy outperforms static approaches in robustness metrics.

Abstract

Improving the robustness of deep neural networks (DNNs) to adversarial examples is an important yet challenging problem for secure deep learning. Across existing defense techniques, adversarial training with Projected Gradient Decent (PGD) is amongst the most effective. Adversarial training solves a min-max optimization problem, with the \textit{inner maximization} generating adversarial examples by maximizing the classification loss, and the \textit{outer minimization} finding model parameters by minimizing the loss on adversarial examples generated from the inner maximization. A criterion that measures how well the inner maximization is solved is therefore crucial for adversarial training. In this paper, we propose such a criterion, namely First-Order Stationary Condition for constrained optimization (FOSC), to quantitatively evaluate the convergence quality of adversarial examples found in the inner maximization. With FOSC, we find that to ensure better robustness, it is essential to use adversarial examples with better convergence quality at the \textit{later stages} of training. Yet at the early stages, high convergence quality adversarial examples are not necessary and may even lead to poor robustness. Based on these observations, we propose a \textit{dynamic} training strategy to gradually increase the convergence quality of the generated adversarial examples, which significantly improves the robustness of adversarial training. Our theoretical and empirical results show the effectiveness of the proposed method.