Revisiting Adversarial Training under Long-Tailed Distributions

TL;DR

This paper investigates adversarial training on long-tailed datasets, revealing that Balanced Softmax Loss and data augmentation together enhance robustness and reduce training overhead, addressing robust overfitting issues.

Contribution

It demonstrates that Balanced Softmax Loss alone is effective and that data augmentation significantly improves adversarial robustness under long-tailed distributions.

Findings

Balanced Softmax Loss matches RoBal performance with less overhead

Data augmentation alleviates robust overfitting and boosts robustness

Combined BSL and data augmentation improve AutoAttack robustness by 6.66% on CIFAR-10-LT

Abstract

Deep neural networks are vulnerable to adversarial attacks, often leading to erroneous outputs. Adversarial training has been recognized as one of the most effective methods to counter such attacks. However, existing adversarial training techniques have predominantly been tested on balanced datasets, whereas real-world data often exhibit a long-tailed distribution, casting doubt on the efficacy of these methods in practical scenarios. In this paper, we delve into adversarial training under long-tailed distributions. Through an analysis of the previous work "RoBal", we discover that utilizing Balanced Softmax Loss alone can achieve performance comparable to the complete RoBal approach while significantly reducing training overheads. Additionally, we reveal that, similar to uniform distributions, adversarial training under long-tailed distributions also suffers from robust overfitting. To address this, we explore data augmentation as a solution and unexpectedly discover that, unlike results obtained with balanced data, data augmentation not only effectively alleviates robust overfitting but also significantly improves robustness. We further investigate the reasons behind the improvement of robustness through data augmentation and identify that it is attributable to the increased diversity of examples. Extensive experiments further corroborate that data augmentation alone can significantly improve robustness. Finally, building on these findings, we demonstrate that compared to RoBal, the combination of BSL and data augmentation leads to a +6.66% improvement in model robustness under AutoAttack on CIFAR-10-LT. Our code is available at https://github.com/NISPLab/AT-BSL .