AROID: Improving Adversarial Robustness Through Online Instance-Wise Data Augmentation

Adversarial robustness; Adversarial training; Automated data augmentation; Data augmentation; Neural-networks; Overfitting; Training methods; Computer Vision and Pattern Recognition; Artificial Intelligence

Abstract :

[en] Deep neural networks are vulnerable to adversarial examples. Adversarial training (AT) is an effective defense against adversarial examples. However, AT is prone to overfitting which degrades robustness substantially. Recently, data augmentation (DA) was shown to be effective in mitigating robust overfitting if appropriately designed and optimized for AT. This work proposes a new method to automatically learn online, instance-wise, DA policies to improve robust generalization for AT. This is the first automated DA method specific for robustness. A novel policy learning objective, consisting of Vulnerability, Affinity and Diversity, is proposed and shown to be sufficiently effective and efficient to be practical for automatic DA generation during AT. Importantly, our method dramatically reduces the cost of policy search from the 5000 h of AutoAugment and the 412 h of IDBH to 9 h, making automated DA more practical to use for adversarial robustness. This allows our method to efficiently explore a large search space for a more effective DA policy and evolve the policy as training progresses. Empirically, our method is shown to outperform all competitive DA methods across various model architectures and datasets. Our DA policy reinforced vanilla AT to surpass several state-of-the-art AT methods regarding both accuracy and robustness. It can also be combined with those advanced AT methods to further boost robustness. Code and pre-trained models are available at: https://github.com/TreeLLi/AROID.

Disciplines :

Computer science

Author, co-author :

Li, Lin ; Department of Informatics, King’s College London, London, United Kingdom

Qiu, Jianing; Department of Computing, Imperial College London, London, United Kingdom

SPRATLING, Michael ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment ; Department of Informatics, King’s College London, London, United Kingdom

External co-authors :

yes

Language :

English

Title :

AROID: Improving Adversarial Robustness Through Online Instance-Wise Data Augmentation

Publication date :

2024

Journal title :

International Journal of Computer Vision

ISSN :

0920-5691

Publisher :

Springer

Peer reviewed :

Peer Reviewed verified by ORBi

Additional URL :

https://link.springer.com/content/pdf/10.1007/s11263-024-02206-4.pdf

Funders :

China Scholarship Council

Available on ORBilu :

since 02 September 2024

Statistics

Number of views

69 (0 by Unilu)

Number of downloads

19 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

WoS citations^™

Bibliography

Addepalli, S., Jain, S., & Radhakrishnan, V. B. (2022). Efficient and effective augmentation strategy for adversarial training. In Neural information processing systems (NeurIPS).
Athalye, A., Carlini, N., & Wagner, D. (2018). Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning (ICML).
Azizi, S., Kornblith, S., Saharia, C., Norouzi, M., & Fleet, D. J. (2023). Synthetic data from diffusion models improves imagenet classification. In Transactions on machine learning research (TMLR).
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In IEEE symposium on security and privacy (SP).
Carmon, Y., Raghunathan, A., Schmidt, L., Duchi, J. C., & Liang, P. S. (2019). Unlabeled data improves adversarial robustness. In Neural information processing systems (NeurIPS).
Chen, T., Zhang, Z., Liu, S., Chang, S., & Wang, Z. (2021). Robust Overfitting may be mitigated by properly learned smoothening. In International conference on learning representations (ICLR).
Cheung, T.-H., & Yeung, D.-Y. (2022). AdaAug: Learning class- and instance-adaptive data augmentation policies. In International conference on learning representations (ICLR).
Croce, F., Andriushchenko, M., Sehwag, V., Debenedetti, E., Flammarion, N., Chiang, M., Hein, M. (2021). RobustBench: A standardized adversarial robustness benchmark. In Neural information processing systems (NeurIPS).
Croce, F., & Hein, M. (2020). Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning (ICML).
Cubuk, E. D., Zoph, B., Mane, D., Vasudevan, V., & Le, Q. V. (2019). AutoAugment: Learning augmentation strategies from data. In IEEE/CVF conference on computer vision and pattern recognition (CVPR).
Cubuk, E. D., Zoph, B., Shlens, J., & Le, Q. V. (2020). Randaugment: Practical automated data augmentation with a reduced search space. In Neural information processing systems (NeurIPS).
Deng, J., Dong, W., Socher, R., Li, L., Kai, L., & Li, F.-F. (2009). ImageNet: A large-scale hierarchical image database. In IEEE/CVF conference on computer vision and pattern recognition (CVPR).
DeVries, T., & Taylor, G. W. (2017). Improved regularization of convolutional neural networks with cutout. arXiv.
Dong, Y., Xu, K., Yang, X., Pang, T., Deng, Z., Su, H., & Zhu, J. (2022). Exploring memorization in adversarial training. In International conference on learning representations (ICLR).
Dosovitskiy, A., Beyer, L., Kolesnikov, A., Weissenborn, D., Zhai, X., Unterthiner, T., Dehghani, M., Minderer, M., Heigold, G., Gelly, S., & Uszkoreit, J. (2020). An image is worth 16x16 words: Transformers for image recognition at scale. In International conference on learning representations.
Gontijo-Lopes, R., Smullin, S., Cubuk, E. D., & Dyer, E. (2021). Tradeoffs in data augmentation: An empirical study. In International conference on learning representations (ICLR).
Gowal, S., Qin, C., Uesato, J., Mann, T., & Kohli, P. (2021). Uncovering the limits of adversarial training against norm-bounded adversarial examples. arXiv.
Hataya, R., Zdenek, J., Yoshizoe, K., & Nakayama, H. (2020). Faster AutoAugment: Learning augmentation strategies using backpropagation. In European conference on computer vision (ECCV).
He, K., Zhang, X., Ren, S., & Sun, J. (2016a). IEEE/CVF conference on computer vision and pattern recognition (CVPR): Deep residual learning for image recognition.
He, K., Zhang, X., Ren, S., & Sun, J. (2016b). Identity mappings in deep residual networks. In European conference on computer vision (ECCV).
Hendrycks, D., & Dietterich, T. (2019). Benchmarking neural network robustness to common corruptions and perturbations. In International conference on learning representations (ICLR).
Hendrycks*, D., Mu*, N., Cubuk, E.D., Zoph, B., Gilmer, J., & Lakshminarayanan, B. (2020). AugMix: A simple data processing method to improve robustness and uncertainty. In International conference on learning representations (ICLR).
Ho, D., Liang, E., Chen, X., Stoica, I., & Abbeel, P. (2019). Population based augmentation: Efficient learning of augmentation policy schedules. In International conference on machine learning (ICML).
Jia, X., Zhang, Y., Wu, B., Ma, K., Wang, J., & Cao, X. (2022). Las-at: Adversarial training with learnable attack strategy. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 13398–13408).
Kireev, K., Andriushchenko, M., & Flammarion, N. (2022). On the effectiveness of adversarial training against common corruptions. In Conference on uncertainty in artificial intelligence (UAI).
Krizhevsky, A. (2009). In Learning multiple layers of features from tiny images. Technical Report.
Kuang, H., Liu, H., Wu, Y., & Ji, R. (2023). Semantically consistent visual representation for adversarial robustness. In IEEE transactions on information forensics and security.
Kuang, H., Liu, H., Wu, Y., Satoh, S., & Ji, R. (2023). Improving adversarial robustness via information bottleneck distillation. In Neural information processing systems (NeurIPS).
Li, L., & Spratling, M. (2023a). In Improved adversarial training through adaptive instance-wise loss smoothing.
Li, L., & Spratling, M. (2023b). Understanding and combating robust overfitting via input loss landscape analysis and regularization. In Pattern recognition.
Li, L., & Spratling, M. W. (2023c). In International conference on learning representations (ICLR): Data augmentation alone can improve adversarial training.
Li, L., Wang, Y., Sitawarin, C., & Spratling, M. (2024). OODRobustBench: Benchmarking and analyzing adversarial robustness under distribution shift. In International conference on machine learning (ICML).
Li, Y., Hu, G., Wang, Y., Hospedales, T., Robertson, N. M., & Yang, Y. (2020). Differentiable automatic data augmentation. In European conference on computer vision (ECCV).
Lim, S., Kim, I., Kim, T., Kim, C., & Kim, S. (2019). Fast AutoAugment. In Neural information processing systems (NeurIPS).
Lin, C., Guo, M., Li, C., Yuan, X., Wu, W., Yan, J., & Ouyang, W. (2019). Online hyper-parameter learning for auto-augmentation strategy. In IEEE/CVF international conference on computer vision (ICCV).
Liu, A., Huang, Z., Huang, Z., & Wang, N. (2021). Direct differentiable augmentation search. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 12219–12228).
Liu, H., & Satoh, S. (2023). Rethinking adversarial training with a simple baseline. arXiv preprint arXiv:2306.07613.
H. Liu Z. Zhong N. Sebe S. Satoh Mitigating robust overfitting via self-residual-calibration regularization Artificial Intelligence 2023 317 4547843 10.1016/j.artint.2023.103877
Liu, Z., Mao, H., Wu, C.-Y., Feichtenhofer, C., Darrell, T., & Xie, S. (2022). A ConvNet for the 2020s. In IEEE/CVF conference on computer vision and pattern recognition (CVPR).
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2018). Towards deep learning models resistant to adversarial attacks. In International conference on learning representations (ICLR).
Miao, N., Rainforth, T., Mathieu, E., Dubois, Y., Teh, Y.W., Foster, A., & Kim, H. (2023). In Learning instance-specific augmentations by capturing local invariances.
Mo, Y., Wu, D., Wang, Y., Guo, Y., & Wang, Y. (2022). When adversarial training meets vision transformers: Recipes from training to architecture. In Neural information processing systems (NeurIPS).
Moosavi-Dezfooli, S.-M., Fawzi, A., Uesato, J., & Frossard, P. (2019). Robustness via curvature regularization, and vice versa. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition (pp. 9078–9086).
Müller, S. G., & Hutter, F. (2021). Trivialaugment: Tuning-free yet state-of-the-art data augmentation. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 774–782).
Pang, T., Lin, M., Yang, X., Zhu, J., & Yan, S. (2022). Robustness and accuracy could be reconcilable by (proper) definition. In International conference on machine learning (pp. 17258–17277).
Qiu, J., Li, L., Sun, J., Peng, J., Shi, P., Zhang, R., & Lo, B. (2023). Large AI models in health informatics: Applications, challenges, and the future. In IEEE journal of biomedical and health informatics (JBHI).
Rade, R., & Moosavi-Dezfooli, S.-M. (2022). Reducing excessive margin to achieve a better accuracy vs. robustness trade-off. In International conference on learning representations (ICLR).
Rebuffi, S.-A., Gowal, S., Calian, D.A., Stimberg, F., Wiles, O., & Mann, T. (2021). Data augmentation can improve robustness. In Neural information processing systems (NeurIPS).
Rice, L., Wong, E., & Kolter, J. Z. (2020). Overfitting in adversarially robust deep learning. In International conference on machine learning (ICML).
Ross, A.S., & Doshi-Velez, F. (2018). Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In AAAI conference on artificial intelligence (AAAI).
Schwinn, L., Raab, R., Nguyen, A., Zanca, D., & Eskofier, B. (2023). Exploring misclassifications of robust neural networks to enhance adversarial attacks. In Applied intelligence.
Sehwag, V., Mahloujifar, S., Handina, T., Dai, S., Xiang, C., Chiang, M., & Mittal, P. (2022). Robust learning meets generative models: Can proxy distributions improve adversarial robustness? International conference on learning representations (ICLR).
Singh, N. D., Croce, F., & Hein, M. (2023). Revisiting adversarial training for ImageNet: Architectures, training and generalization across threat models. In Neural information processing systems (NeurIPS).
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2014). Intriguing properties of neural networks. In International conference on learning representations (ICLR).
Tack, J., Yu, S., Jeong, J., Kim, M., Hwang, S.J., & Shin, J. (2022). Consistency regularization for adversarial robustness. In AAAI conference on artificial intelligence (AAAI).
Wang, H., & Wang, Y. (2022). Self-ensemble adversarial training for improved robustness. In International conference on learning representations (ICLR).
Wang, H., Xiao, C., Kossaifi, J., Yu, Z., Anandkumar, A., Wang, Z. (2021). AugMax: Adversarial composition of random augmentations for robust training. In Neural information processing systems (NeurIPS).
Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., & Gu, Q. (2020). Improving adversarial robustness requires revisiting misclassified examples. In International conference on learning representations (ICLR).
Wang, Z., Pang, T., Du, C., Lin, M., Liu, W., & Yan, S. (2023). Better diffusion models further improve adversarial training. In International conference on machine learning (ICML).
Williams, R.J. (1992). Simple statistical gradient-following algorithms for connectionist reinforcement learning. In Machine learning.
Wong, E., Rice, L., & Kolter, J. Z. (2020). Fast is better than free: Revisiting adversarial training. In International conference on learning representations (ICLR).
Wu, D., Xia, S.-T., & Wang, Y. (2020). Adversarial weight perturbation helps robust generalization. In Neural information processing systems (NeurIPS).
Yu, C., Han, B., Gong, M., Shen, L., Ge, S., Bo, D., & Liu, T. (2022). Robust weight perturbation for adversarial training. In International joint conference on artificial intelligence (IJCAI).
Yun, S., Han, D., Oh, S.J., Chun, S., Choe, J., & Yoo, Y. (2019). Cutmix: Regularization strategy to train strong classifiers with localizable features. In Proceedings of the IEEE/CVF international conference on computer vision (pp. 6023–6032).
Zagoruyko, S., & Komodakis, N. (2016). Wide residual networks. In British machine vision conference (BMVC).
Zhang, H., Cisse, M., Dauphin, Y. N., & Lopez-Paz, D. (2017). mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412.
Zhang, H., Yu, Y., Jiao, J., Xing, E., Ghaoui, L. E., & Jordan, M. (2019). Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning (ICML).
Zhang, X., Wang, Q., Zhang, J., & Zhong, Z. (2020). Adversarial AutoAugment. In International conference on learning representations (ICLR).
Zhong, Z., Zheng, L., Kang, G., Li, S., & Yang, Y. (2020). Random erasing data augmentation. In AAAI conference on artificial intelligence (AAAI).