Masking and Mixing Adversarial Training

TL;DR

This paper introduces M2AT, a novel adversarial training method that enhances CNN robustness against attacks while maintaining higher accuracy on standard samples by creating diverse adversarial examples through masking and mixing.

Contribution

The paper proposes Masking and Mixing Adversarial Training (M2AT), a new approach that improves robustness without sacrificing accuracy by generating diverse adversarial examples during training.

Findings

M2AT outperforms previous methods in robustness against adversarial attacks.

M2AT maintains higher accuracy on standard samples.

Experimental results on CIFAR-10 validate effectiveness.

Abstract

While convolutional neural networks (CNNs) have achieved excellent performances in various computer vision tasks, they often misclassify with malicious samples, a.k.a. adversarial examples. Adversarial training is a popular and straightforward technique to defend against the threat of adversarial examples. Unfortunately, CNNs must sacrifice the accuracy of standard samples to improve robustness against adversarial examples when adversarial training is used. In this work, we propose Masking and Mixing Adversarial Training (M2AT) to mitigate the trade-off between accuracy and robustness. We focus on creating diverse adversarial examples during training. Specifically, our approach consists of two processes: 1) masking a perturbation with a binary mask and 2) mixing two partially perturbed images. Experimental results on CIFAR-10 dataset demonstrate that our method achieves better robustness against several adversarial attacks than previous methods.