Abstract
The easily-perturbed nature of deep neural network makes it vulnerable to adversarial attacks, and such vulnerability has become a major threat to the security of machine learning. The transferability of adversarial samples further increases the threat. Adversarial training has made considerable progress in defending against adversarial samples. In transfer learning, unsupervised domain adaptation is an important research branch, however, due to the label of the target domain samples can’t be obtained, it is difficult to implement adversarial training. In this paper, we found that using source domain data for adversarial training and adding the generated adversarial perturbation to the target domain data could effectively enhance the robustness of the transferred model. Experimental results showed that our proposed method can not only ensure the model’s classification accuracy, but also greatly improve the model’s defense performance against adversarial attacks. In simple, our proposed method not only guarantees the transfer of knowledge, but also realizes the transfer of model robustness. It is the main contribution of this paper.
This work has been supported by the Open Foundation of Key Laboratory in Software Engineering of Yunnan Province under Grant No. 2020SE305.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)
Szegedy, C., et al.: Going deeper with convolutions. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1–9 (2015)
Shafahi, A., et al.: Adversarially robust transfer learning. arXiv preprint arXiv:1905.08232 (2019)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)
Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. 23(5), 828–841 (2019)
Moosavi-Dezfooli, S.-M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1765–1773 (2017)
Qiu, H., Dong, T., Zhang, T., Lu, J., Memmi, G., Qiu, M.: Adversarial attacks against network intrusion detection in IoT systems. IEEE Internet Things J. (2020)
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)
Kurakin, A., Goodfellow, I., Bengio, S., et al.: Adversarial examples in the physical world (2016)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (SP), pp. 39–57. IEEE (2017)
Shafahi, A., et al.: Adversarial training for free! arXiv preprint arXiv:1904.12843 (2019)
Zhang, D., Zhang, T., Lu, Y., Zhu, Z., Dong, B.: You only propagate once: accelerating adversarial training via maximal principle. arXiv preprint arXiv:1905.00877 (2019)
Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: revisiting adversarial training. arXiv preprint arXiv:2001.03994 (2020)
Andriushchenko, M., Flammarion, N.: Understanding and improving fast adversarial training. arXiv preprint arXiv:2007.02617 (2020)
Zeng, Y., Qiu, H., Memmi, G., Qiu, M.: A data augmentation-based defense method against adversarial attacks in neural networks. In: Qiu, M. (ed.) ICA3PP 2020. LNCS, vol. 12453, pp. 274–289. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-60239-0_19
Saito, K., Watanabe, K., Ushiku, Y., Harada, T.: Maximum classifier discrepancy for unsupervised domain adaptation. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 3723–3732 (2018)
Li, Y., Song, Y., Jia, L., Gao, S., Li, Q., Qiu, M.: Intelligent fault diagnosis by fusing domain adversarial training and maximum mean discrepancy via ensemble learning. IEEE Trans. Ind. Inf. 17, 2833–2841 (2020)
Zhou, W., et al.: Transferable adversarial perturbations. In: Proceedings of the European Conference on Computer Vision (ECCV), pp. 452–467 (2018)
Netzer, Y., Wang, T., Coates, A., Bissacco, A., Wu, B., Ng, A.Y.: Reading digits in natural images with unsupervised feature learning (2011)
LeCun, Y.: The MNIST database of handwritten digits (1998). http://yann.lecun.com/exdb/mnist/
Moiseev, B., Konev, A., Chigorin, A., Konushin, A.: Evaluation of traffic sign recognition methods trained on synthetically generated data. In: Blanc-Talon, J., Kasinski, A., Philips, W., Popescu, D., Scheunders, P. (eds.) ACIVS 2013. LNCS, vol. 8192, pp. 576–583. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02895-8_52
Stallkamp, J., Schlipsing, M., Salmen, J., Igel, C.: The German traffic sign recognition benchmark: a multi-class classification competition. In: The 2011 International Joint Conference on Neural Networks, pp. 1453–1460. IEEE (2011)
Dong, Y. Deng, Z., Pang, T., Su, H., Zhu, J.: Adversarial distributional training for robust deep learning. arXiv preprint arXiv:2002.05999 (2020)
Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: attacks and defenses. arXiv preprint arXiv:1705.07204 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Nie, Z., Lin, Y., Yan, M., Cao, Y., Ning, S. (2021). An Adversarial Training Method for Improving Model Robustness in Unsupervised Domain Adaptation. In: Qiu, H., Zhang, C., Fei, Z., Qiu, M., Kung, SY. (eds) Knowledge Science, Engineering and Management. KSEM 2021. Lecture Notes in Computer Science(), vol 12817. Springer, Cham. https://doi.org/10.1007/978-3-030-82153-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-82153-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-82152-4
Online ISBN: 978-3-030-82153-1
eBook Packages: Computer ScienceComputer Science (R0)