Semi-supervised robust training with generalized perturbed neighborhood. (April 2022)
- Record Type:
- Journal Article
- Title:
- Semi-supervised robust training with generalized perturbed neighborhood. (April 2022)
- Main Title:
- Semi-supervised robust training with generalized perturbed neighborhood
- Authors:
- Li, Yiming
Wu, Baoyuan
Feng, Yan
Fan, Yanbo
Jiang, Yong
Li, Zhifeng
Xia, Shu-Tao - Abstract:
- Highlights: We propose a robust training method by jointly minimizing standard risk and robust risk, which is naturally extended the semi-supervised mode. By generalizing the definition of the perturbed neighborhood to cover different types of perturbations, our method achieves the joint robustness to different perturbations, such as the pixel-wise and spatial perturbation. Experiments on benchmark datasets verify the superiority of the proposed SRT method to state-of-the-art adversarial training methods, as well as the robustness of SRT to pixel-wise and spatial perturbations simultaneously. Abstract: Adversarial examples have been shown to be a severe threat to deep neural networks (DNNs). One of the most effective adversarial defense methods is adversarial training (AT) through minimizing the adversarial risk R a d v, which encourages both the benign example x and its adversarially perturbed neighborhoods within the ℓ p -ball to be predicted as the ground-truth label. In this paper, we propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ( i . e ., R s t a n d and R r o b ), which are with respect to the benign example and its neighborhoods, respectively. The motivation is to explicitly and jointly enhance the accuracy and the adversarial robustness. We prove that R a d v is upper-bounded by R s t a n d + R r o b, which implies that RT has similar effect as AT. Intuitively, minimizing the standard risk enforces the benignHighlights: We propose a robust training method by jointly minimizing standard risk and robust risk, which is naturally extended the semi-supervised mode. By generalizing the definition of the perturbed neighborhood to cover different types of perturbations, our method achieves the joint robustness to different perturbations, such as the pixel-wise and spatial perturbation. Experiments on benchmark datasets verify the superiority of the proposed SRT method to state-of-the-art adversarial training methods, as well as the robustness of SRT to pixel-wise and spatial perturbations simultaneously. Abstract: Adversarial examples have been shown to be a severe threat to deep neural networks (DNNs). One of the most effective adversarial defense methods is adversarial training (AT) through minimizing the adversarial risk R a d v, which encourages both the benign example x and its adversarially perturbed neighborhoods within the ℓ p -ball to be predicted as the ground-truth label. In this paper, we propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ( i . e ., R s t a n d and R r o b ), which are with respect to the benign example and its neighborhoods, respectively. The motivation is to explicitly and jointly enhance the accuracy and the adversarial robustness. We prove that R a d v is upper-bounded by R s t a n d + R r o b, which implies that RT has similar effect as AT. Intuitively, minimizing the standard risk enforces the benign example to be correctly predicted, while the robust risk minimization encourages the predictions of the neighbor examples to be consistent with the prediction of the benign example. Besides, since R r o b is independent of the ground-truth label, RT is naturally extended to the semi-supervised mode ( i . e ., SRT), to further enhance its effectiveness. Moreover, we extend the ℓ p -bounded neighborhood to a general case, which covers different types of perturbations, such as the pixel-wise ( i . e ., x + δ ) or the spatial perturbation ( i . e ., A x + b ). Extensive experiments on benchmark datasets not only verify the superiority of the proposed SRT to state-of-the-art methods for defending pixel-wise or spatial perturbations separately but also demonstrate its robustness to both perturbations simultaneously. Our work may shed the light on the understanding of universal model robustness and the potential of unlabeled samples. The code for reproducing main results is available at https://github.com/THUYimingLi/Semi-supervised_Robust_Training . … (more)
- Is Part Of:
- Pattern recognition. Volume 124(2022)
- Journal:
- Pattern recognition
- Issue:
- Volume 124(2022)
- Issue Display:
- Volume 124, Issue 2022 (2022)
- Year:
- 2022
- Volume:
- 124
- Issue:
- 2022
- Issue Sort Value:
- 2022-0124-2022-0000
- Page Start:
- Page End:
- Publication Date:
- 2022-04
- Subjects:
- Adversarial Defense -- Adversarial Learning -- Semi-supervised Learning -- AI Security -- Deep Learning -- Classification
Pattern perception -- Periodicals
Perception des structures -- Périodiques
Patroonherkenning
006.4 - Journal URLs:
- http://www.sciencedirect.com/science/journal/00313203 ↗
http://www.sciencedirect.com/ ↗ - DOI:
- 10.1016/j.patcog.2021.108472 ↗
- Languages:
- English
- ISSNs:
- 0031-3203
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 22256.xml