Abstract
Adversarial training (AT) is one of the most promising solutions for defending adversarial attacks. By exploiting the adversarial examples generated in the maximization step of AT, a large improvement on the robustness can be brought. However, by analyzing the original natural examples and the corresponding adversarial examples, we observe that a certain part of them are abnormal. In this paper, we propose a novel AT framework called anomaly-aware adversarial training (A\(^3\)T), which utilizes different learning strategies for handling the one normal case and two abnormal cases of generating adversarial examples. Extensive experiments on three publicly available datasets with classifiers in three major network architectures demonstrate that A\(^3\)T is effective in robustifying networks to adversarial attacks in both white/black-box settings and outperforms the state-of-the-art AT methods.
K. Tang and T. Lou—Contributed equally to this work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018)
Cai, Q.Z., Liu, C., Song, D.: Curriculum adversarial training. In: IJCAI, pp. 3740–3747 (2018)
Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML, pp. 2206–2216 (2020)
Ding, G.W., Sharma, Y., Lui, K.Y.C., Huang, R.: MMA training: direct input space margin maximization through adversarial training. In: ICLR (2019)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)
Grigorescu, S., Trasnea, B., Cocias, T., Macesanu, G.: A survey of deep learning techniques for autonomous driving. J. Field Robot. 37(3), 362–386 (2020)
Guo, C., Rana, M., Cisse, M., Van Der Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018)
Guo, S., Li, X., Zhu, P., Mu, Z.: ADS-Detector: an attention-based dual stream adversarial example detection method. Knowl.-Based Syst. 265, 110388 (2023)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016)
Hong, J., Tang, K., Gao, C., Wang, S., Guo, S., Zhu, P.: GM-Attack: improving the transferability of adversarial attacks. In: KSEM, pp. 489–500 (2022)
Jia, X., et al.: Prior-guided adversarial initialization for fast adversarial training. In: Avidan, S., Brostow, G., Cisse, M., Farinella, G.M., Hassner, T. (eds.) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol. 13664, pp. 567–584. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-19772-7_33
Jia, X., Zhang, Y., Wu, B., Wang, J., Cao, X.: Boosting fast adversarial training with learnable adversarial initialization. IEEE Trans. Image Process. 31, 4417–4430 (2022). https://doi.org/10.1109/TIP.2022.3184255
Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)
Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016)
Le, Y., Yang, X.S.: Tiny imagenet visual recognition challenge (2015)
LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)
Li, Y., Cheng, S., Su, H., Zhu, J.: Defense against adversarial attacks via controlling gradient leaking on embedded manifolds. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12373, pp. 753–769. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58604-1_45
Lin, N., et al.: Manipulation planning from demonstration via goal-conditioned prior action primitive decomposition and alignment. IEEE Robot. Autom. Lett. 7(2), 1387–1394 (2022)
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings, pp. 372–387 (2016)
Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C.: Mobilenetv 2: Inverted residuals and linear bottlenecks. In: CVPR, pp. 4510–4520 (2018)
Shafahi, A., et al.: Adversarial training for free! In: NeurIPS, pp. 3358–3369 (2019)
Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)
Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)
Tack, J., Yu, S., Jeong, J., Kim, M., Hwang, S.J., Shin, J.: Consistency regularization for adversarial robustness. In: AAAI, vol. 36, pp. 8414–8422 (2022)
Tang, K., et al.: RepPVConv: attentively fusing reparameterized voxel features for efficient 3d point cloud perception. The Visual Computer, pp. 1–12 (2022). https://doi.org/10.1007/s00371-022-02682-0
Tang, K., Ma, Y., Miao, D., Song, P., Gu, Z., Wang, W.: Decision fusion networks for image classification. IEEE Transactions on Neural Networks and Learning Systems, pp. 1–14 (2022). https://doi.org/10.1109/TNNLS.2022.3196129
Tang, K., et al.: Rethinking perturbation directions for imperceptible adversarial attacks on point clouds. IEEE Internet Things J. 10(6), 5158–5169 (2023). https://doi.org/10.1109/JIOT.2022.3222159
Tang, K., et al.: NormalAttack: curvature-aware shape deformation along normals for imperceptible point cloud attack. Security and Communication Networks 2022 (2022)
Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., Gu, Q.: On the convergence and robustness of adversarial training. In: ICML, pp. 6586–6595. PMLR (2019)
Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., Gu, Q.: Improving adversarial robustness requires revisiting misclassified examples. In: ICLR (2019)
Xie, C., Wu, Y., van der Maaten, L., Yuille, A.L., He, K.: Feature denoising for improving adversarial robustness. In: CVPR, pp. 501–509 (2019)
Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016)
Zhang, D., Zhang, T., Lu, Y., Zhu, Z., Dong, B.: You only propagate once: accelerating adversarial training via maximal principle. In: NeurIPS, vol. 32, pp. 227–238 (2019)
Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., Jordan, M.: Theoretically principled trade-off between robustness and accuracy. In: ICML, pp. 7472–7482 (2019)
Zhu, P., Hong, J., Li, X., Tang, K., Wang, Z.: SGMA: a novel adversarial attack approach with improved transferability. Complex & Intelligent Systems, pp. 1–13 (2023). https://doi.org/10.1007/s40747-023-01060-0
Acknowledgment
This work was supported in part by the National Key R &D Program of China (2020AAA0107704), the National Natural Science Foundation of China (62102105 and 62073263), the Guangdong Basic and Applied Basic Research Foundation (2020A1515110997 and 2022A1515011501).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tang, K., Lou, T., He, X., Shi, Y., Zhu, P., Gu, Z. (2023). Enhancing Adversarial Robustness via Anomaly-aware Adversarial Training. In: Jin, Z., Jiang, Y., Buchmann, R.A., Bi, Y., Ghiran, AM., Ma, W. (eds) Knowledge Science, Engineering and Management. KSEM 2023. Lecture Notes in Computer Science(), vol 14117. Springer, Cham. https://doi.org/10.1007/978-3-031-40283-8_28
Download citation
DOI: https://doi.org/10.1007/978-3-031-40283-8_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40282-1
Online ISBN: 978-3-031-40283-8
eBook Packages: Computer ScienceComputer Science (R0)