Nuoyan Zhou, Nannan Wang, Decheng Liu, Dawei Zhou, Xinbo Gao
Deep neural networks are vulnerable to adversarial noise. Adversarial Training (AT) has been demonstrated to be the most effective defense strategy to protect neural networks from being fooled. However, we find AT omits to learning robust features, resulting in poor performance of adversarial robustness. To address this issue, we highlight two criteria of robust representation: (1) Exclusion: \emph{the feature of examples keeps away from that of other classes}; (2) Alignment: \emph{the feature of natural and corresponding adversarial examples is close to each other}. These motivate us to propose a generic framework of AT to gain robust representation, by the asymmetric negative contrast and reverse attention. Specifically, we design an asymmetric negative contrast based on predicted probabilities, to push away examples of different classes in the feature space. Moreover, we propose to weight feature by parameters of the linear classifier as the reverse attention, to obtain class-aware feature and pull close the feature of the same class. Empirical evaluations on three benchmark datasets show our methods greatly advance the robustness of AT and achieve state-of-the-art performance.
| Task | Dataset | Metric | Value | Model |
|---|---|---|---|---|
| Adversarial Attack | CIFAR-10 | Attack: AutoAttack | 59.7 | TRADES-ANCRA/ResNet18 |
| Adversarial Defense | CIFAR-10 | Accuracy | 81.7 | ResNet18 (TRADES-ANCRA/PGD-40) |
| Adversarial Defense | CIFAR-10 | Attack: AutoAttack | 59.7 | ResNet18 (TRADES-ANCRA/PGD-40) |
| Adversarial Defense | CIFAR-10 | Robust Accuracy | 82.96 | ResNet18 (TRADES-ANCRA/PGD-40) |
| Adversarial Robustness | CIFAR-100 | AutoAttacked Accuracy | 35.05 | ResNet18/MART-ANCRA |
| Adversarial Robustness | CIFAR-100 | Clean Accuracy | 60.1 | ResNet18/MART-ANCRA |
| Adversarial Robustness | CIFAR-10 | Accuracy | 81.7 | TRADES-ANCRA/ResNet18 |
| Adversarial Robustness | CIFAR-10 | Attack: AutoAttack | 59.7 | TRADES-ANCRA/ResNet18 |