Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification. To defend against such attacks, an effective and popular approach, known as adversarial training (AT), has been shown to mitigate the negative impact of adversarial attacks by virtue of a min-max robust training method. While effective, it remains unclear whether it can successfully be adapted to the distributed learning context. The power of distributed optimization over multiple machines enables us to scale up robust training over large models and datasets. Spurred by that, we propose distributed adversarial training (DAT), a large-batch adversarial training framework implemented over multiple machines. We show that DAT is general, which supports training over labeled and unlabeled data, multiple types of attack generation methods, and gradient compression operations favored for distributed optimization. Theoretically, we provide, under standard conditions in the optimization theory, the convergence rate of DAT to the first-order stationary points in general non-convex settings. Empirically, we demonstrate that DAT either matches or outperforms state-of-the-art robust accuracies and achieves a graceful training speedup (e.g., on ResNet-50 under ImageNet). Codes are available at https://github.com/dat-2022/dat.
翻译:目前深心神经网络(DNNs)很容易受到对抗性攻击,对投入的对抗性干扰可以改变或操纵分类。为了防范这种攻击,已经通过软体强力培训方法展示出一种被称为对抗性培训(AT)的有效和流行的方法,以缓解对抗性攻击的负面影响。虽然效果良好,但仍不清楚它是否能够成功地适应分布式学习环境。在多种机器上分布式优化的威力使我们能够扩大对大型模型和数据集的强大培训。为此,我们提议分发对抗性培训(DAT),这是在多台机器上实施的大型对称对抗性培训框架。我们显示DAT是通用的,它支持对标签和无标签数据的培训,多种攻击生成方法,以及有利于分布式优化的梯度压缩操作。理论上,我们在优化理论的标准条件下,提供DAT与一般非convevex环境中第一阶梯级站点的趋同率。我们展示DAT匹配或超过20-20级对立式对称的对称对抗性培训(DAT),在多台机器上实施大型对称的对抗性培训。我们显示DAT是通用的,支持对标签式和无标签式的、多型网络系统下生成式标准/网络。我们掌握的软化的系统。在可操作下,可以实现。