Adversarial training (AT) has become a popular choice for training robust networks. However, it tends to sacrifice clean accuracy heavily in favor of robustness and suffers from a large generalization error. To address these concerns, we propose Smooth Adversarial Training (SAT), guided by our analysis on the eigenspectrum of the loss Hessian. We find that curriculum learning, a scheme that emphasizes on starting "easy" and gradually ramping up on the "difficulty" of training, smooths the adversarial loss landscape for a suitably chosen difficulty metric. We present a general formulation for curriculum learning in the adversarial setting and propose two difficulty metrics based on the maximal Hessian eigenvalue (H-SAT) and the softmax probability (P-SA). We demonstrate that SAT stabilizes network training even for a large perturbation norm and allows the network to operate at a better clean accuracy versus robustness trade-off curve compared to AT. This leads to a significant improvement in both clean accuracy and robustness compared to AT, TRADES, and other baselines. To highlight a few results, our best model improves normal and robust accuracy by 6% and 1% on CIFAR-100 compared to AT, respectively. On Imagenette, a ten-class subset of ImageNet, our model outperforms AT by 23% and 3% on normal and robust accuracy respectively.
翻译:阿德萨里培训(AT)已经成为培训强大网络的流行选择。 但是,它往往为了强健而牺牲干净的准确性,而要牺牲干净的准确性,而且会受到一个大泛化错误的影响。为了解决这些关注,我们建议以我们对损失赫萨西亚人(Hessian)的微微粒特征的分析为指导,进行平滑的反versarial培训(SAT)。我们发现,学习课程计划强调启动“容易”和逐步提升于培训“困难”的“困难”,为适当选择的困难度量度平滑对抗性损失场景。我们在对立制设置课程学习时提出总体设计,并基于最大赫萨伊根值(H-SAT)和软麦氏概率(P-SA)提出两个困难度量度指标。我们发现,沙特卫星稳定了网络培训,即使是大规模扰动性规范,也使得网络的运作比AT更加清洁,比AT、TradingS和其他基线更加稳健健健。这导致与AT、TradingS和其他基线相比,我们提出了基于最高H-100的少数结果,分别比AFR1级的正常和图像格式分别改进了我们1的正常和10格式的正常的模型。
相关内容
微信扫码咨询专知VIP会员