Focus on Hiders: Exploring Hidden Threats for Enhancing Adversarial Training

TL;DR

This paper introduces Hider-Focused Adversarial Training (HFAT), a novel method that identifies and mitigates hidden high-risk samples called 'hiders' to improve model robustness and accuracy against adversarial attacks.

Contribution

The paper proposes a new adversarial training algorithm that detects and prevents hiders, addressing limitations of traditional min-max approaches by integrating an auxiliary model and adaptive weighting.

Findings

HFAT achieves higher robustness against adversarial attacks.

HFAT improves accuracy on defended models.

The method effectively identifies and mitigates hidden high-risk samples.

Abstract

Adversarial training is often formulated as a min-max problem, however, concentrating only on the worst adversarial examples causes alternating repetitive confusion of the model, i.e., previously defended or correctly classified samples are not defensible or accurately classifiable in subsequent adversarial training. We characterize such non-ignorable samples as "hiders", which reveal the hidden high-risk regions within the secure area obtained through adversarial training and prevent the model from finding the real worst cases. We demand the model to prevent hiders when defending against adversarial examples for improving accuracy and robustness simultaneously. By rethinking and redefining the min-max optimization problem for adversarial training, we propose a generalized adversarial training algorithm called Hider-Focused Adversarial Training (HFAT). HFAT introduces the iterative evolution optimization strategy to simplify the optimization problem and employs an auxiliary model to reveal hiders, effectively combining the optimization directions of standard adversarial training and prevention hiders. Furthermore, we introduce an adaptive weighting mechanism that facilitates the model in adaptively adjusting its focus between adversarial examples and hiders during different training periods. We demonstrate the effectiveness of our method based on extensive experiments, and ensure that HFAT can provide higher robustness and accuracy.