Boundary Adversarial Examples Against Adversarial Overfitting

TL;DR

This paper investigates the causes of robust overfitting in adversarial training, evaluates mitigation strategies, and introduces helper adversarial examples to improve clean accuracy without sacrificing robustness.

Contribution

It provides insights into robust overfitting, assesses existing mitigation methods, and proposes a novel approach using helper adversarial examples to enhance adversarial training.

Findings

Mitigation strategies can reduce overfitting but often lower clean accuracy.

Helper adversarial examples improve clean accuracy without harming robustness.

Mitigation approaches are potentially complementary when combined with helper examples.

Abstract

Standard adversarial training approaches suffer from robust overfitting where the robust accuracy decreases when models are adversarially trained for too long. The origin of this problem is still unclear and conflicting explanations have been reported, i.e., memorization effects induced by large loss data or because of small loss data and growing differences in loss distribution of training samples as the adversarial training progresses. Consequently, several mitigation approaches including early stopping, temporal ensembling and weight perturbations on small loss data have been proposed to mitigate the effect of robust overfitting. However, a side effect of these strategies is a larger reduction in clean accuracy compared to standard adversarial training. In this paper, we investigate if these mitigation approaches are complimentary to each other in improving adversarial training performance. We further propose the use of helper adversarial examples that can be obtained with minimal cost in the adversarial example generation, and show how they increase the clean accuracy in the existing approaches without compromising the robust accuracy.