Adaptive Smoothness-weighted Adversarial Training for Multiple Perturbations with Its Stability Analysis

• Published in: arXiv.org
• Main Authors: Xiao, Jiancong, Qin, Zeyu, Fan, Yanbo, Wu, Baoyuan, Wang, Jue, Zhi-Quan Luo
• Format: Paper
• Language: English
• Published: Ithaca Cornell University Library, arXiv.org 02.10.2022
• Subjects: Algorithms; Perturbation; Smoothness; Stability analysis; Training
• ISSN: 2331-8422

Adversarial Training (AT) has been demonstrated as one of the most effective methods against adversarial examples. While most existing works focus on AT with a single type of perturbation e.g., the \(\ell_\infty\) attacks), DNNs are facing threats from different types of adversarial examples. Therefore, adversarial training for multiple perturbations (ATMP) is proposed to generalize the adversarial robustness over different perturbation types (in \(\ell_1\), \(\ell_2\), and \(\ell_\infty\) norm-bounded perturbations). However, the resulting model exhibits trade-off between different attacks. Meanwhile, there is no theoretical analysis of ATMP, limiting its further development. In this paper, we first provide the smoothness analysis of ATMP and show that \(\ell_1\), \(\ell_2\), and \(\ell_\infty\) adversaries give different contributions to the smoothness of the loss function of ATMP. Based on this, we develop the stability-based excess risk bounds and propose adaptive smoothness-weighted adversarial training for multiple perturbations. Theoretically, our algorithm yields better bounds. Empirically, our experiments on CIFAR10 and CIFAR100 achieve the state-of-the-art performance against the mixture of multiple perturbations attacks.