AROID: Improving Adversarial Robustness Through Online Instance-Wise Data Augmentation

TL;DR

This paper introduces AROID, an automated online data augmentation method tailored for adversarial training, significantly enhancing robustness and efficiency in defending neural networks against adversarial attacks.

Contribution

AROID is the first automated, instance-wise data augmentation approach specifically designed for improving adversarial robustness, reducing policy search time dramatically.

Findings

Outperforms all competitive DA methods across various models and datasets.

Surpasses several state-of-the-art adversarial training methods in accuracy and robustness.

Can be combined with advanced AT methods for further robustness gains.

Abstract

Deep neural networks are vulnerable to adversarial examples. Adversarial training (AT) is an effective defense against adversarial examples. However, AT is prone to overfitting which degrades robustness substantially. Recently, data augmentation (DA) was shown to be effective in mitigating robust overfitting if appropriately designed and optimized for AT. This work proposes a new method to automatically learn online, instance-wise, DA policies to improve robust generalization for AT. This is the first automated DA method specific for robustness. A novel policy learning objective, consisting of Vulnerability, Affinity and Diversity, is proposed and shown to be sufficiently effective and efficient to be practical for automatic DA generation during AT. Importantly, our method dramatically reduces the cost of policy search from the 5000 hours of AutoAugment and the 412 hours of IDBH to 9 hours, making automated DA more practical to use for adversarial robustness. This allows our method to efficiently explore a large search space for a more effective DA policy and evolve the policy as training progresses. Empirically, our method is shown to outperform all competitive DA methods across various model architectures and datasets. Our DA policy reinforced vanilla AT to surpass several state-of-the-art AT methods regarding both accuracy and robustness. It can also be combined with those advanced AT methods to further boost robustness. Code and pre-trained models are available at https://github.com/TreeLLi/AROID.