Making deep neural networks robust to small adversarial noises has recently been sought in many applications. Adversarial training through iterative projected gradient descent (PGD) has been established as one of the mainstream ideas to achieve this goal. However, PGD is computationally demanding and often prohibitive in case of large datasets and models. For this reason, single-step PGD, also known as FGSM, has recently gained interest in the field. Unfortunately, FGSM-training leads to a phenomenon called ``catastrophic overfitting," which is a sudden drop in the adversarial accuracy under the PGD attack. In this paper, we support the idea that small input gradients play a key role in this phenomenon, and hence propose to zero the input gradient elements that are small for crafting FGSM attacks. Our proposed idea, while being simple and efficient, achieves competitive adversarial accuracy on various datasets.
翻译:最近许多应用中都寻求通过迭代预测梯度下降(PGD)进行反向培训,这是实现这一目标的主流思想之一。然而,在大型数据集和模型的情况下,PGD在计算上要求很高,而且往往令人望而却步,因此,被称为FGSM的单步PGD最近对实地越来越感兴趣。不幸的是,FGSM培训导致一种名为“灾难性过度装配”的现象,这是PGD攻击下对抗性精确度的突然下降。在本文中,我们支持小投入梯度在这一现象中发挥关键作用的想法,因此建议取消用于制造FGSM攻击的较小输入梯度元素。我们提议的构想虽然简单而有效,但在各种数据集上实现了竞争性对抗性准确性。
相关内容
微信扫码咨询专知VIP会员