Preventing Catastrophic Overfitting in Fast Adversarial Training: A Bi-level Optimization Perspective

TL;DR

This paper introduces FGSM-PCO, a novel fast adversarial training method that prevents catastrophic overfitting by using historical adversarial examples and an adaptive fusion mechanism, improving robustness on complex tasks.

Contribution

The paper proposes FGSM-PCO, a new FAT approach that mitigates overfitting by incorporating historical AEs and adaptive mechanisms within a bi-level optimization framework.

Findings

FGSM-PCO effectively prevents catastrophic overfitting.

It improves robustness across multiple models and datasets.

Empirical results outperform existing FAT algorithms.

Abstract

Adversarial training (AT) has become an effective defense method against adversarial examples (AEs) and it is typically framed as a bi-level optimization problem. Among various AT methods, fast AT (FAT), which employs a single-step attack strategy to guide the training process, can achieve good robustness against adversarial attacks at a low cost. However, FAT methods suffer from the catastrophic overfitting problem, especially on complex tasks or with large-parameter models. In this work, we propose a FAT method termed FGSM-PCO, which mitigates catastrophic overfitting by averting the collapse of the inner optimization problem in the bi-level optimization process. FGSM-PCO generates current-stage AEs from the historical AEs and incorporates them into the training process using an adaptive mechanism. This mechanism determines an appropriate fusion ratio according to the performance of the AEs on the training model. Coupled with a loss function tailored to the training framework, FGSM-PCO can alleviate catastrophic overfitting and help the recovery of an overfitted model to effective training. We evaluate our algorithm across three models and three datasets to validate its effectiveness. Comparative empirical studies against other FAT algorithms demonstrate that our proposed method effectively addresses unresolved overfitting issues in existing algorithms.