Improving Accuracy-robustness Trade-off via Pixel Reweighted Adversarial Training

TL;DR

This paper introduces Pixel-reweighted Adversarial Training (PART), a novel approach that allocates different perturbation budgets to pixel regions based on their importance, improving accuracy and robustness in adversarial training.

Contribution

The paper proposes a new pixel-reweighted adversarial training framework that emphasizes key regions, enhancing model accuracy without sacrificing robustness.

Findings

PART improves accuracy on CIFAR-10, SVHN, and TinyImagenet-200.

It maintains robustness while increasing accuracy.

Pixel importance guides perturbation allocation effectively.

Abstract

Adversarial training (AT) trains models using adversarial examples (AEs), which are natural images modified with specific perturbations to mislead the model. These perturbations are constrained by a predefined perturbation budget $\epsilon$ and are equally applied to each pixel within an image. However, in this paper, we discover that not all pixels contribute equally to the accuracy on AEs (i.e., robustness) and accuracy on natural images (i.e., accuracy). Motivated by this finding, we propose Pixel-reweighted AdveRsarial Training (PART), a new framework that partially reduces $\epsilon$ for less influential pixels, guiding the model to focus more on key regions that affect its outputs. Specifically, we first use class activation mapping (CAM) methods to identify important pixel regions, then we keep the perturbation budget for these regions while lowering it for the remaining regions when generating AEs. In the end, we use these pixel-reweighted AEs to train a model. PART achieves a notable improvement in accuracy without compromising robustness on CIFAR-10, SVHN and TinyImagenet-200, justifying the necessity to allocate distinct weights to different pixel regions in robust classification.