Robust shortcut and disordered robustness: Improving adversarial training through adaptive smoothing

Adversarial robustness; Adversarial training; Instance adaptive; Loss smoothing; Neural-networks; Overfitting; Training methods; Computer Vision and Pattern Recognition; Artificial Intelligence

Abstract :

[en] Deep neural networks are highly susceptible to adversarial perturbations: artificial noise that corrupts input data in ways imperceptible to humans but causes incorrect predictions. Among the various defenses against these attacks, adversarial training has emerged as the most effective. In this work, we aim to enhance adversarial training to improve robustness against adversarial attacks. We begin by analyzing how adversarial vulnerability evolves during training from an instance-wise perspective. This analysis reveals two previously unrecognized phenomena: robust shortcut and disordered robustness. We then demonstrate that these phenomena are related to robust overfitting, a well-known issue in adversarial training. Building on these insights, we propose a novel adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). This method jointly smooths the input and weight loss landscapes in an instance-adaptive manner, preventing the exploitation of robust shortcut and thereby mitigating robust overfitting. Extensive experiments demonstrate the efficacy of ISEAT and its superiority over existing adversarial training methods. Code is available at https://github.com/TreeLLi/ISEAT.

Disciplines :

Computer science

Author, co-author :

Li, Lin ; Department of Informatics, King's College London, London, United Kingdom

SPRATLING, Michael ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment ; Department of Informatics, King's College London, London, United Kingdom

External co-authors :

yes

Language :

English

Title :

Robust shortcut and disordered robustness: Improving adversarial training through adaptive smoothing

Publication date :

July 2025

Journal title :

Pattern Recognition

ISSN :

0031-3203

eISSN :

1873-5142

Publisher :

Elsevier Ltd

Volume :

163

Pages :

111474

Peer reviewed :

Peer Reviewed verified by ORBi

Additional URL :

https://api.elsevier.com/content/article/PII:S0031320325001347?httpAccept=text/xml

Funders :

China Scholarship Council

Funding text :

The authors gratefully acknowledge use of the King's Computational Research, Engineering and Technology Environment (CREATE) and the Joint Academic Data science Endeavour (JADE) facility for carrying out the experiments described in this paper. This work was funded by a scholarship from the King's - China Scholarship Council (K-CSC).The authors gratefully acknowledge use of the King\u2019s Computational Research, Engineering and Technology Environment (CREATE) and the Joint Academic Data science Endeavour (JADE) facility for carrying out the experiments described in this paper. This work was funded by a scholarship from the King\u2019s - China Scholarship Council (K-CSC) .

Available on ORBilu :

since 21 August 2025

Statistics

Number of views

31 (0 by Unilu)

Number of downloads

22 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

WoS citations^™

Bibliography

I.J. Goodfellow, J. Shlens, C. Szegedy, Explaining and Harnessing Adversarial Examples, in: International Conference on Learning Representations, ICLR, 2015.
A. Athalye, N. Carlini, D. Wagner, Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples, in: International Conference on Machine Learning, ICML, 2018.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu, Towards Deep Learning Models Resistant to Adversarial Attacks, in: International Conference on Learning Representations, ICLR, 2018.
Balaji, Y., Goldstein, T., Hoffman, J., Instance adaptive adversarial training: Improved accuracy tradeoffs in neural nets. 2019 arXiv.
G.W. Ding, Y. Sharma, K.Y.C. Lui, R. Huang, MMA Training: Direct Input Space Margin Maximization through Adversarial Training, in: International Conference on Learning Representations, ICLR, 2020.
J. Zhang, X. Xu, B. Han, G. Niu, L. Cui, M. Sugiyama, M. Kankanhalli, Attacks Which Do Not Kill Training Make Adversarial Learning Stronger, in: International Conference on Machine Learning, ICML, 2020.
M. Cheng, Q. Lei, P.-Y. Chen, I. Dhillon, C.-J. Hsieh, CAT: Customized Adversarial Training for Improved Robustness, in: International Joint Conference on Artificial Intelligence, IJCAI, 2022.
S. Yang, C. Xu, One Size Does NOT Fit All: Data-Adaptive Adversarial Training, in: European Conference on Computer Vision, ECCV, 2022.
L. Rice, E. Wong, J.Z. Kolter, Overfitting in adversarially robust deep learning, in: International Conference on Machine Learning, ICML, 2020.
C.-J. Simon-Gabriel, Y. Ollivier, L. Bottou, B. Schölkopf, D. Lopez-Paz, First-Order Adversarial Vulnerability of Neural Networks and Input Dimension, in: International Conference on Machine Learning, ICML, 2019.
S.-M. Moosavi-Dezfooli, A. Fawzi, J. Uesato, P. Frossard, Robustness via Curvature Regularization, and Vice Versa, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, 2019.
Wu, D., Xia, S.-T., Wang, Y., Adversarial weight perturbation helps robust generalization. Neural Information Processing Systems, NeurIPS, 2020.
Li, L., Spratling, M., Understanding and combating robust overfitting via input loss landscape analysis and regularization. Pattern Recognit., 2023.
C. Yu, B. Han, M. Gong, L. Shen, S. Ge, D. Bo, T. Liu, Robust Weight Perturbation for Adversarial Training, in: International Joint Conference on Artificial Intelligence, IJCAI, 2022.
T. Chen, Z. Zhang, S. Liu, S. Chang, Z. Wang, Robust Overfitting may be mitigated by properly learned smoothening, in: International Conference on Learning Representations, ICLR, 2021.
Y. Wang, D. Zou, J. Yi, J. Bailey, X. Ma, Q. Gu, Improving Adversarial Robustness Requires Revisiting Misclassified Examples, in: International Conference on Learning Representations, ICLR, 2020.
J. Zhang, J. Zhu, G. Niu, B. Han, M. Sugiyama, M. Kankanhalli, Geometry-aware Instance-reweighted Adversarial Training, in: International Conference on Learning Representations, ICLR, 2021.
Xu, M., Zhang, T., Li, Z., Zhang, D., InfoAT: Improving adversarial training using the information bottleneck principle. IEEE Transactions on Neural Networks and Learning Systems (T-NNLS), 2022.
X. Jia, Y. Zhang, B. Wu, K. Ma, J. Wang, X. Cao, LAS-AT: Adversarial Training With Learnable Attack Strategy, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, 2022.
M. Arjovsky, L. Bottou, Towards Principled Methods for Training Generative Adversarial Networks, in: International Conference on Learning Representations, ICLR, 2017.
Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., Madry, A., Adversarially robust generalization requires more data. Neural Information Processing Systems (NeurIPS), 2018.
Carmon, Y., Raghunathan, A., Schmidt, L., Duchi, J.C., Liang, P.S., Unlabeled data improves adversarial robustness. Neural Information Processing Systems (NeurIPS), 2019.
Gowal, S., Rebuffi, S.-A., Wiles, O., Stimberg, F., Calian, D., Mann, T., Improving robustness using generated data. Neural Information Processing Systems (NeurIPS), 2021.
L. Li, M.W. Spratling, Data augmentation alone can improve adversarial training, in: International Conference on Learning Representations, ICLR, 2023.
Xia, P., Li, Z., Zhang, W., Li, B., Data-efficient backdoor attacks. Raedt, L.D., (eds.) Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, IJCAI-22, 2022, International Joint Conferences on Artificial Intelligence Organization, 3992–3998, 10.24963/ijcai.2022/554 main Track.
Li, Z., Sun, H., Xia, P., Xia, B., Rui, X., Zhang, W., Guo, Q., Fu, Z., Li, B., A proxy attack-free strategy for practically improving the poisoning efficiency in backdoor attacks. IEEE Trans. Inf. Forensics Secur., 2024.
K. He, X. Zhang, S. Ren, J. Sun, Identity Mappings in Deep Residual Networks, in: European Conference on Computer Vision, ECCV, 2016.
R. Rade, S.-M. Moosavi-Dezfooli, Reducing Excessive Margin to Achieve a Better Accuracy vs. Robustness Trade-off, in: International Conference on Learning Representations, ICLR, 2022.
C. Yu, B. Han, L. Shen, J. Yu, C. Gong, M. Gong, T. Liu, Understanding Robust Overfitting of Adversarial Training and Beyond, in: International Conference on Machine Learning, ICML, 2022.
Paszke, A., Gross, S., Massa, F., Lerer, A., Bradbury, J., Chanan, G., Killeen, T., Lin, Z., Gimelshein, N., Antiga, L., Desmaison, A., Kopf, A., Yang, E., DeVito, Z., Raison, M., Tejani, A., Chilamkurthy, S., Steiner, B., Fang, L., Bai, J., Chintala, S., PyTorch: An imperative style, high-performance deep learning library. Neural Information Processing Systems (NeurIPS), 2019.
S. Zagoruyko, N. Komodakis, Wide Residual Networks, in: British Machine Vision Conference, BMVC, 2016.
A. Krizhevsky, Learning Multiple Layers of Features from Tiny Images, Technical Report, 2009.
Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y., Reading digits in natural images with unsupervised feature learning. NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011, 2011.
Le, Y., Yang, X., Tiny imagenet visual recognition challenge. 2015 CS 231N.
Andriushchenko, M., Flammarion, N., Understanding and improving fast adversarial training. Neural Information Processing Systems (NeurIPS), 2020.
F. Croce, M. Hein, Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks, in: International Conference on Machine Learning, ICML, 2020.
Kim, H., Torchattacks: A pytorch repository for adversarial attacks. 2021.
H. Zhang, Y. Yu, J. Jiao, E. Xing, L.E. Ghaoui, M. Jordan, Theoretically Principled Trade-off between Robustness and Accuracy, in: International Conference on Machine Learning, ICML, 2019.
Croce, F., Andriushchenko, M., Sehwag, V., Debenedetti, E., Flammarion, N., Chiang, M., Mittal, P., Hein, M., Robustbench: a standardized adversarial robustness benchmark. Neural Information Processing Systems (NeurIPS), 2021.
Rebuffi, S.-A., Gowal, S., Calian, D.A., Stimberg, F., Wiles, O., Mann, T., Data augmentation can improve robustness. Neural Information Processing Systems (NeurIPS), 2021.
S. Kanai, S. Yamaguchi, M. Yamada, H. Takahashi, K. Ohno, Y. Ida, One-vs-the-Rest Loss to Focus on Important Samples in Adversarial Training, in: International Conference on Machine Learning, ICML, 2023.
Liu, H., Zhong, Z., Sebe, N., Satoh, S., Mitigating Robust Overfitting Via Self-Residual-Calibration Regularization. Artificial Intelligence, 2023.
Z. Li, D. Yu, L. Wei, C. Jin, Y. Zhang, S. Chan, Soften to Defend: Towards Adversarial Robustness via Self-Guided Label Refinement, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, 2024.
X. Yin, W. Ruan, Boosting Adversarial Training via Fisher-Rao Norm-based Regularization, in: IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, 2024.
J. Zhang, F. Liu, D. Zhou, J. Zhang, T. Liu, Improving Accuracy-robustness Trade-off via Pixel Reweighted Adversarial Training, in: International Conference on Machine Learning, ICML, 2024.