Robust Alignment: Harmonizing Clean Accuracy and Adversarial Robustness in Adversarial Training

TL;DR

This paper introduces Robust Alignment, a novel adversarial training approach that improves the balance between clean accuracy and adversarial robustness by aligning input and latent spaces.

Contribution

It proposes a new training target and two techniques—fixed perturbation intensity and DICAR—to harmonize accuracy and robustness in adversarial training.

Findings

RAAT outperforms four baselines and 14 SOTA methods in accuracy-robustness trade-off.

The method improves robustness on CIFAR-10, CIFAR-100, and Tiny-ImageNet datasets.

Experimental results confirm the effectiveness of the proposed approach.

Abstract

Adversarial Training (AT) is one of the most effective methods for developing robust deep neural networks (DNNs). However, AT faces a trade-off problem between clean accuracy and adversarial robustness. In this work, we reveal a surprising phenomenon for the first time: Varying input perturbation intensities for training samples near decision boundaries in AT have minimal impact on model robustness. This finding directly exposes the inconsistency between accuracy and robustness score fluctuations, leading us to identify the misalignment between input and latent spaces as a critical driver of the robustness-accuracy trade-off. To mitigate this misalignment for harmonizing accuracy and robustness, we define Robust Alignment as a new AT target, encouraging the model perception to change with input perturbations provided the final label prediction remains unchanged, which can be achieved via two novel ideas. First, we suggest a reduced and fixed perturbation intensity for those boundary samples, which facilitates the model to utilize the perturbations as learnable patterns, instead of noises that complicate decision boundaries meaninglessly. Second, we propose a Domain Interpolation Consistency Adversarial Regularization (DICAR), based on rigorous theoretical derivations, which explicitly introduces semantic alignment between input and latent spaces into AT. Based on these two ideas, we end up with a new Robust Alignment Adversarial Training (RAAT) method, effectively harmonizing accuracy and robustness. Extensive experiments on CIFAR-10, CIFAR-100, and Tiny-ImageNet with ResNet-18, PreActResNet-18, and WideResNet-28-10 demonstrate the effectiveness of RAAT in improving the trade-off beyond four common baselines and a total of 14 related state-of-the-art (SOTA) works.