Revisiting and Advancing Fast Adversarial Training Through The Lens of Bi-Level Optimization (2112.12376v6)

Abstract: Adversarial training (AT) is a widely recognized defense mechanism to gain the robustness of deep neural networks against adversarial attacks. It is built on min-max optimization (MMO), where the minimizer (i.e., defender) seeks a robust model to minimize the worst-case training loss in the presence of adversarial examples crafted by the maximizer (i.e., attacker). However, the conventional MMO method makes AT hard to scale. Thus, Fast-AT (Wong et al., 2020) and other recent algorithms attempt to simplify MMO by replacing its maximization step with the single gradient sign-based attack generation step. Although easy to implement, Fast-AT lacks theoretical guarantees, and its empirical performance is unsatisfactory due to the issue of robust catastrophic overfitting when training with strong adversaries. In this paper, we advance Fast-AT from the fresh perspective of bi-level optimization (BLO). We first show that the commonly-used Fast-AT is equivalent to using a stochastic gradient algorithm to solve a linearized BLO problem involving a sign operation. However, the discrete nature of the sign operation makes it difficult to understand the algorithm performance. Inspired by BLO, we design and analyze a new set of robust training algorithms termed Fast Bi-level AT (Fast-BAT), which effectively defends sign-based projected gradient descent (PGD) attacks without using any gradient sign method or explicit robust regularization. In practice, we show our method yields substantial robustness improvements over baselines across multiple models and datasets. Codes are available at https://github.com/OPTML-Group/Fast-BAT.

• The paper presents Fast-BAT, a novel framework that reformulates adversarial training as a bi-level optimization problem for improved robustness and efficiency.
• It decouples adversarial example generation from model training to address computational inefficiencies inherent in traditional Fast AT methods.
• Empirical results across CIFAR-10, CIFAR-100, and ImageNet show over 1.5% robust accuracy improvement while maintaining strong standard accuracy.

Revisiting and Advancing Fast Adversarial Training Through the Lens of Bi-Level Optimization

The paper "Revisiting and Advancing Fast Adversarial Training Through the Lens of Bi-Level Optimization" introduces a novel approach to adversarial training, leveraging bi-level optimization (BLO) techniques to enhance the robustness of deep neural networks against adversarial attacks. The authors critique existing methods, notably Fast Adversarial Training (Fast AT) and its derivatives, and propose a new framework termed Fast Bi-level Adversarial Training (Fast-BAT). This new approach integrates insights from BLO and aims to address the limitations and inefficiencies observed in traditional adversarial training algorithms.

Key Concepts and Methodology

Adversarial training, particularly the min-max optimization framework, involves training a neural network to minimize its worst-case loss by considering adversarial examples. While this min-max framework has proven effective in enhancing robustness, its scalability is often limited due to the computational intensity needed for generating adversarial examples iteratively during training. Existing approaches like Fast AT simplify this process by replacing the exhaustive search for adversarial examples with a one-step gradient estimation, yielding varying results in terms of robustness and efficiency.

The authors propose using BLO to reformulate the adversarial training as a hierarchical optimization problem. BLO, unlike traditional min-max optimization, allows the separation of tasks between upper-level (model training) and lower-level (adversarial example generation) objectives. By using this framework, the authors derive a more efficient robust training algorithm, Fast-BAT. Fast-BAT aims to provide both theoretical guarantees and improved empirical performance by solving a linearized BLO problem.

Numerical Results and Comparisons

Experiments conducted across CIFAR-10, CIFAR-100, Tiny-ImageNet, and ImageNet demonstrate that Fast-BAT substantially outperforms prior methods in robust accuracy against adversarial attacks. For CIFAR-10, Fast-BAT improves robust accuracy by over 1.5% across different model architectures, including PreActResNet-18, WideResNet, and ResNet configurations. The results hold consistently across different perturbation strengths, showcasing Fast-BAT's capability to effectively balance the trad-off between standard accuracy and adversarial robustness.

The paper highlights that Fast-BAT not only enhances adversarial robustness but also maintains a satisfactory standard accuracy, unlike some existing methods which improve robustness at the expense of accuracy. This improved trade-off is crucial for practical applications where both robustness and accuracy are critical.

Theoretical Implications and Future Directions

The use of BLO for adversarial training introduces new theoretical possibilities, particularly around the derivation and implementation of implicit gradients, which circumvent the limitations of discrete operations like sign-based gradient methods. By replacing the traditional gradient-based approach with a rigorous derivation using KKT conditions, Fast-BAT mitigates issues of robust catastrophic overfitting—a problem that has plagued existing methods when confronted with strong adversarial examples.

Future work can expand on this foundation by exploring more advanced BLO formulations or by integrating additional constraints and objectives into the optimization problem to address robustness against a broader spectrum of adversarial tactics. Additionally, refining the efficiency of Fast-BAT or exploring its applications in domain generalization tasks could provide further value in the adversarial machine learning landscape.

In conclusion, by revisiting adversarial training through the BLO lens, the paper provides a significant advancement in the field, both in terms of practical adversarial robustness and theoretical clarity, signalling a promising direction for future research in robust machine learning methods.