论文标题
发出一些噪音:可靠,有效的单步对抗训练
Make Some Noise: Reliable and Efficient Single-Step Adversarial Training
论文作者
论文摘要
最近,Wong等。表明,使用单步FGSM的对抗性训练导致一种名为“灾难性过拟合”(CO)的特征故障模式,其中模型突然变得容易受到多步攻击的影响。在实验上,他们表明,在FGSM(RS-FGSM)之前仅添加随机扰动可以预防CO。但是,Andriushchenko和Flammarion观察到,RS-FGSM仍会导致更大的扰动,并提出了一个计算昂贵的正规器(gradalign)来避免这种情况。在这项工作中,我们有条不紊地重新审视了噪声和剪辑在单步对抗训练中的作用。与以前的直觉相反,我们发现在清洁样品周围与\ textit {not剪切}结合使用更强烈的噪声对于避免使用大型扰动半径的CO非常有效。然后,我们提出了噪声-FGSM(N-FGSM),尽管提供了单步对抗训练的好处,但在大量实验套件上没有经验分析表明,N-FGSM能够匹配或超过先前最先前的GradAlign的性能,同时达到3倍加速。代码可以在https://github.com/pdejorge/n-fgsm中找到
Recently, Wong et al. showed that adversarial training with single-step FGSM leads to a characteristic failure mode named Catastrophic Overfitting (CO), in which a model becomes suddenly vulnerable to multi-step attacks. Experimentally they showed that simply adding a random perturbation prior to FGSM (RS-FGSM) could prevent CO. However, Andriushchenko and Flammarion observed that RS-FGSM still leads to CO for larger perturbations, and proposed a computationally expensive regularizer (GradAlign) to avoid it. In this work, we methodically revisit the role of noise and clipping in single-step adversarial training. Contrary to previous intuitions, we find that using a stronger noise around the clean sample combined with \textit{not clipping} is highly effective in avoiding CO for large perturbation radii. We then propose Noise-FGSM (N-FGSM) that, while providing the benefits of single-step adversarial training, does not suffer from CO. Empirical analyses on a large suite of experiments show that N-FGSM is able to match or surpass the performance of previous state-of-the-art GradAlign, while achieving 3x speed-up. Code can be found in https://github.com/pdejorge/N-FGSM
