Strength-Adaptive Adversarial Training

TL;DR

Strength-Adaptive Adversarial Training (SAAT) dynamically adjusts attack strength during training, improving robustness and balancing natural accuracy and robustness better than fixed-budget methods.

Contribution

SAAT introduces an adaptive perturbation mechanism based on adversarial loss constraints, addressing robustness disparity and overfitting issues in traditional adversarial training.

Findings

SAAT enhances adversarial robustness across various models.

SAAT effectively balances natural accuracy and robustness.

SAAT reduces robust overfitting in adversarial training.

Abstract

Adversarial training (AT) is proved to reliably improve network's robustness against adversarial data. However, current AT with a pre-specified perturbation budget has limitations in learning a robust network. Firstly, applying a pre-specified perturbation budget on networks of various model capacities will yield divergent degree of robustness disparity between natural and robust accuracies, which deviates from robust network's desideratum. Secondly, the attack strength of adversarial training data constrained by the pre-specified perturbation budget fails to upgrade as the growth of network robustness, which leads to robust overfitting and further degrades the adversarial robustness. To overcome these limitations, we propose \emph{Strength-Adaptive Adversarial Training} (SAAT). Specifically, the adversary employs an adversarial loss constraint to generate adversarial training data. Under this constraint, the perturbation budget will be adaptively adjusted according to the training state of adversarial data, which can effectively avoid robust overfitting. Besides, SAAT explicitly constrains the attack strength of training data through the adversarial loss, which manipulates model capacity scheduling during training, and thereby can flexibly control the degree of robustness disparity and adjust the tradeoff between natural accuracy and robustness. Extensive experiments show that our proposal boosts the robustness of adversarial training.