Internet Archive Scholar

Instance adaptive adversarial training: Improved accuracy tradeoffs in neural nets [article]

Yogesh Balaji, Tom Goldstein, Judy Hoffman
2019 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (4.2 MB)
https://web.archive.org/web/20200909001603/https://arxiv.org/pdf/1910.08051v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL. The file type is application/pdf.

Adversarial training is by far the most successful strategy for improving robustness of neural networks to adversarial attacks. Despite its success as a defense mechanism, adversarial training fails to generalize well to unperturbed test set. We hypothesize that this poor generalization is a consequence of adversarial training with uniform perturbation radius around every training sample. Samples close to decision boundary can be morphed into a different class under a small perturbation budget,
more » ... and enforcing large margins around these samples produce poor decision boundaries that generalize poorly. Motivated by this hypothesis, we propose instance adaptive adversarial training -- a technique that enforces sample-specific perturbation margins around every training sample. We show that using our approach, test accuracy on unperturbed samples improve with a marginal drop in robustness. Extensive experiments on CIFAR-10, CIFAR-100 and Imagenet datasets demonstrate the effectiveness of our proposed approach.
arXiv:1910.08051v1 fatcat:s2enskjbwbazbi4azpfnak4zte
Citation

Yogesh Balaji, Tom Goldstein, Judy Hoffman. "Instance adaptive adversarial training: Improved accuracy tradeoffs in neural nets." arXiv (2019)