Skip to main content
SpringerLink
Log in

Enhancing Adversarial Robustness via Anomaly-aware Adversarial Training

  • Conference paper
  • First Online:
Knowledge Science, Engineering and Management (KSEM 2023)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 14117))

  • 535 Accesses

Abstract

Adversarial training (AT) is one of the most promising solutions for defending adversarial attacks. By exploiting the adversarial examples generated in the maximization step of AT, a large improvement on the robustness can be brought. However, by analyzing the original natural examples and the corresponding adversarial examples, we observe that a certain part of them are abnormal. In this paper, we propose a novel AT framework called anomaly-aware adversarial training (A\(^3\)T), which utilizes different learning strategies for handling the one normal case and two abnormal cases of generating adversarial examples. Extensive experiments on three publicly available datasets with classifiers in three major network architectures demonstrate that A\(^3\)T is effective in robustifying networks to adversarial attacks in both white/black-box settings and outperforms the state-of-the-art AT methods.

K. Tang and T. Lou—Contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICML, pp. 274–283 (2018)

    Google Scholar 

  2. Cai, Q.Z., Liu, C., Song, D.: Curriculum adversarial training. In: IJCAI, pp. 3740–3747 (2018)

    Google Scholar 

  3. Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: ICML, pp. 2206–2216 (2020)

    Google Scholar 

  4. Ding, G.W., Sharma, Y., Lui, K.Y.C., Huang, R.: MMA training: direct input space margin maximization through adversarial training. In: ICLR (2019)

    Google Scholar 

  5. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

    Google Scholar 

  6. Grigorescu, S., Trasnea, B., Cocias, T., Macesanu, G.: A survey of deep learning techniques for autonomous driving. J. Field Robot. 37(3), 362–386 (2020)

    Article  Google Scholar 

  7. Guo, C., Rana, M., Cisse, M., Van Der Maaten, L.: Countering adversarial images using input transformations. In: ICLR (2018)

    Google Scholar 

  8. Guo, S., Li, X., Zhu, P., Mu, Z.: ADS-Detector: an attention-based dual stream adversarial example detection method. Knowl.-Based Syst. 265, 110388 (2023)

    Article  Google Scholar 

  9. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016)

    Google Scholar 

  10. Hong, J., Tang, K., Gao, C., Wang, S., Guo, S., Zhu, P.: GM-Attack: improving the transferability of adversarial attacks. In: KSEM, pp. 489–500 (2022)

    Google Scholar 

  11. Jia, X., et al.: Prior-guided adversarial initialization for fast adversarial training. In: Avidan, S., Brostow, G., Cisse, M., Farinella, G.M., Hassner, T. (eds.) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol. 13664, pp. 567–584. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-19772-7_33

  12. Jia, X., Zhang, Y., Wu, B., Wang, J., Cao, X.: Boosting fast adversarial training with learnable adversarial initialization. IEEE Trans. Image Process. 31, 4417–4430 (2022). https://doi.org/10.1109/TIP.2022.3184255

    Article  Google Scholar 

  13. Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images (2009)

    Google Scholar 

  14. Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. arXiv preprint arXiv:1611.01236 (2016)

  15. Le, Y., Yang, X.S.: Tiny imagenet visual recognition challenge (2015)

    Google Scholar 

  16. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  17. Li, Y., Cheng, S., Su, H., Zhu, J.: Defense against adversarial attacks via controlling gradient leaking on embedded manifolds. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12373, pp. 753–769. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58604-1_45

    Chapter  Google Scholar 

  18. Lin, N., et al.: Manipulation planning from demonstration via goal-conditioned prior action primitive decomposition and alignment. IEEE Robot. Autom. Lett. 7(2), 1387–1394 (2022)

    Article  Google Scholar 

  19. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)

    Google Scholar 

  20. Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings, pp. 372–387 (2016)

    Google Scholar 

  21. Sandler, M., Howard, A., Zhu, M., Zhmoginov, A., Chen, L.C.: Mobilenetv 2: Inverted residuals and linear bottlenecks. In: CVPR, pp. 4510–4520 (2018)

    Google Scholar 

  22. Shafahi, A., et al.: Adversarial training for free! In: NeurIPS, pp. 3358–3369 (2019)

    Google Scholar 

  23. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)

  24. Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)

    Google Scholar 

  25. Tack, J., Yu, S., Jeong, J., Kim, M., Hwang, S.J., Shin, J.: Consistency regularization for adversarial robustness. In: AAAI, vol. 36, pp. 8414–8422 (2022)

    Google Scholar 

  26. Tang, K., et al.: RepPVConv: attentively fusing reparameterized voxel features for efficient 3d point cloud perception. The Visual Computer, pp. 1–12 (2022). https://doi.org/10.1007/s00371-022-02682-0

  27. Tang, K., Ma, Y., Miao, D., Song, P., Gu, Z., Wang, W.: Decision fusion networks for image classification. IEEE Transactions on Neural Networks and Learning Systems, pp. 1–14 (2022). https://doi.org/10.1109/TNNLS.2022.3196129

  28. Tang, K., et al.: Rethinking perturbation directions for imperceptible adversarial attacks on point clouds. IEEE Internet Things J. 10(6), 5158–5169 (2023). https://doi.org/10.1109/JIOT.2022.3222159

    Article  Google Scholar 

  29. Tang, K., et al.: NormalAttack: curvature-aware shape deformation along normals for imperceptible point cloud attack. Security and Communication Networks 2022 (2022)

    Google Scholar 

  30. Wang, Y., Ma, X., Bailey, J., Yi, J., Zhou, B., Gu, Q.: On the convergence and robustness of adversarial training. In: ICML, pp. 6586–6595. PMLR (2019)

    Google Scholar 

  31. Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., Gu, Q.: Improving adversarial robustness requires revisiting misclassified examples. In: ICLR (2019)

    Google Scholar 

  32. Xie, C., Wu, Y., van der Maaten, L., Yuille, A.L., He, K.: Feature denoising for improving adversarial robustness. In: CVPR, pp. 501–509 (2019)

    Google Scholar 

  33. Zagoruyko, S., Komodakis, N.: Wide residual networks. In: BMVC (2016)

    Google Scholar 

  34. Zhang, D., Zhang, T., Lu, Y., Zhu, Z., Dong, B.: You only propagate once: accelerating adversarial training via maximal principle. In: NeurIPS, vol. 32, pp. 227–238 (2019)

    Google Scholar 

  35. Zhang, H., Yu, Y., Jiao, J., Xing, E., El Ghaoui, L., Jordan, M.: Theoretically principled trade-off between robustness and accuracy. In: ICML, pp. 7472–7482 (2019)

    Google Scholar 

  36. Zhu, P., Hong, J., Li, X., Tang, K., Wang, Z.: SGMA: a novel adversarial attack approach with improved transferability. Complex & Intelligent Systems, pp. 1–13 (2023). https://doi.org/10.1007/s40747-023-01060-0

Download references

Acknowledgment

This work was supported in part by the National Key R &D Program of China (2020AAA0107704), the National Natural Science Foundation of China (62102105 and 62073263), the Guangdong Basic and Applied Basic Research Foundation (2020A1515110997 and 2022A1515011501).

Author information

Authors and Affiliations

  1. Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou, 510006, China

    Keke Tang, Tianrui Lou, Xu He & Yawen Shi

  2. School of Artificial Intelligence, Optics, and Electronics (iOPEN), Northwestern Polytechnical University, Xi’an, 710072, China

    Peican Zhu

  3. Department of Computer Science and Technology, Harbin Institute of Technology (Shenzhen), Shenzhen, 518055, China

    Zhaoquan Gu

Authors
  1. Keke Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tianrui Lou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xu He
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yawen Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peican Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhaoquan Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Tianrui Lou or Peican Zhu .

Editor information

Editors and Affiliations

  1. Peking University, Beijing, China

    Zhi Jin

  2. South China Normal University, Guangzhou, China

    Yuncheng Jiang

  3. Babeș-Bolyai University, Cluj-Napoca, Romania

    Robert Andrei Buchmann

  4. Ulster University, Belfast, UK

    Yaxin Bi

  5. Babeș-Bolyai University, Cluj-Napoca, Romania

    Ana-Maria Ghiran

  6. South China Normal University, Guangzhou, China

    Wenjun Ma

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tang, K., Lou, T., He, X., Shi, Y., Zhu, P., Gu, Z. (2023). Enhancing Adversarial Robustness via Anomaly-aware Adversarial Training. In: Jin, Z., Jiang, Y., Buchmann, R.A., Bi, Y., Ghiran, AM., Ma, W. (eds) Knowledge Science, Engineering and Management. KSEM 2023. Lecture Notes in Computer Science(), vol 14117. Springer, Cham. https://doi.org/10.1007/978-3-031-40283-8_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-40283-8_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-40282-1

  • Online ISBN: 978-3-031-40283-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation