Skip to main content
SpringerLink
Log in

ATRA: Efficient adversarial training with high-robust area

  • Original article
  • Published:
The Visual Computer Aims and scope Submit manuscript

Abstract

Recent research has shown the vulnerability of deep networks to adversarial perturbations. Adversarial training and its variants have been shown to be effective defense algorithms against adversarial attacks, enhancing the defense abilities of deep neural networks by training them to fit adversarial examples. However, the significant computational burden of generating strong adversarial examples has rendered the process time-consuming, presenting a challenge for efficient training. In this paper, we propose adversarial training with robust area (ATRA), a highly efficient variant of adversarial training. We experimentally find that certain pixels in the image play a crucial role in improving robust accuracy, which we refer to the collection of discrete pixels as the high-robust area. Based on the robust area of the input instance, ATRA generates adversarial examples by applying an adaptive perturbation. Furthermore, we investigate the transferability of the high-robust area during the attack iteration process and experimentally demonstrate its effectiveness. Therefore, ATRA has the advantage of reducing the additional cost of generating strong adversarial examples while maintaining model robustness. Our experimental results on MNIST, CIFAR10, and TinyImageNet show that our method outperforms current state-of-the-art baselines with significantly less additional training time required, especially on MNIST where our method requires 18\(\times \) less training time. Furthermore, our method also achieves good performance under different adversarial attacks such as FGSM, CW, and AutoAttack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Algorithm 1
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

The datasets generated during and analyzed during the current study are available from the corresponding author on reasonable request.

References

  1. Szegedy, C., et al.: Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

  2. Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. 23(5), 828–841 (2019)

    Article  Google Scholar 

  3. Fan, L., et al.: Explore gap between 3D DNN and human vision utilizing fooling point cloud generated by MEHHO. Secur. Commun. Netw. 2023 (2023)

  4. Hu, S., Nalisnick, E., Welling, M.: Adversarial defense via image denoising with chaotic encryption. arXiv preprint arXiv:2203.10290 (2022)

  5. Tobia, J., et al.: AGS: Attribution guided sharpening as a defense against adversarial attacks. In: Advances in Intelligent Data Analysis XX: 20th International Symposium on Intelligent Data Analysis, Proceedings. Springer, Cham (2022)

  6. Mustafa, A., et al.: Image super-resolution as a defense against adversarial attacks. IEEE Trans. Image Process. 29, 1711–1724 (2019)

    Article  MathSciNet  Google Scholar 

  7. Chen, Y., et al.: MFFN: image super-resolution via multi-level features fusion network. Vis. Comput. 1–16 (2023)

  8. Chen, Y., et al.: RNON: image inpainting via repair network and optimization network. Int. J. Mach. Learn. Cybern. 1–17 (2023)

  9. Madry, A., et al.: Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083 (2017)

  10. Wang, H., et al.: Attentional and adversarial feature mimic for efficient object detection. Vis. Comput. 39(2), 639–650 (2023)

    Article  Google Scholar 

  11. Zhang, J., et al.: ReYOLO: A traffic sign detector based on network reparameterization and features adaptive weighting. J. Ambient Intell. Smart Environ. 1–18 (2022). (Preprint)

  12. Jia, X., Xiao, J., Wu, C.: TICS: text-image-based semantic CAPTCHA synthesis via multi-condition adversarial learning. Vis. Comput. 1–13 (2022)

  13. Zhang, J., et al.: CCTSDB 2021: A more comprehensive traffic sign detection benchmark. Hum. Centric Comput. Inf. Sci. 12 (2022)

  14. Rasheed, B., et al.: Boosting adversarial training using robust selective data augmentation. Int. J. Comput. Intell. Syst. 16(1), 89 (2023)

    Article  MathSciNet  Google Scholar 

  15. Zheng, H., et al.: Efficient adversarial training with transferable adversarial examples. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2020)

  16. Wong, E., Rice, L., Kolter, J.Z.: Fast is better than free: revisiting adversarial training. arXiv preprint arXiv:2001.03994 (2020)

  17. He, Z., et al.: Investigating catastrophic overfitting in fast adversarial training: a self-fitting perspective. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2023)

  18. Andriushchenko, M., Flammarion, N.: Understanding and improving fast adversarial training. Adv. Neural. Inf. Process. Syst. 33, 16048–16059 (2020)

    Google Scholar 

  19. de Aranda, J., Pau, et al.: Make some noise: reliable and efficient single-step adversarial training. Adv. Neural. Inf. Process. Syst. 35, 12881–12893 (2022)

    Google Scholar 

  20. Li, T., et al.: Subspace adversarial training. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2022)

  21. Xu, C., et al.: Accelerate adversarial training with loss guided propagation for robust image classification. Inf. Process. 60(1), 103143 (2023)

    Article  Google Scholar 

  22. Nikfam, F., et al.: AccelAT: A framework for accelerating the adversarial training of deep neural networks through accuracy gradient. IEEE Access 10, 108997–109007 (2022)

    Article  Google Scholar 

  23. Zhang, Z., et al.: ASAT: Adaptively scaled adversarial training in time series. Neurocomputing 522, 11–23 (2023)

    Article  Google Scholar 

  24. Naseer, M., Khan, S., Porikli, F.: Local gradients smoothing: defense against localized adversarial attacks. In: 2019 IEEE Winter Conference on Applications of Computer Vision (WACV). IEEE (2019)

  25. Krishna, N.H., et al.: Defending against localized adversarial attacks on edge-deployed monocular depth estimators. In: 2020 19th IEEE International Conference on Machine Learning and Applications (ICMLA). IEEE (2020)

  26. Moosavi-Dezfooli, S.-M., et al.: Universal adversarial perturbations. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2017)

  27. Xu, H., et al.: D3AdvM: A direct 3D adversarial sample attack inside mesh data. Comput. Aided Geom. Des. 97, 102122 (2022)

    Article  MathSciNet  Google Scholar 

  28. Zhang, D., et al.: You only propagate once: Accelerating adversarial training via maximal principle. Adv. Neural Inf. Process. Syst. 32 (2019)

  29. Shafahi, A., et al.: Adversarial training for free!. Adv. Neural Inf. Process. Syst. 32 (2019)

  30. Wu, B., et al.: Towards efficient adversarial training on vision transformers. In: Computer Vision-ECCV 2022: 17th European Conference, Part XIII. Springer Nature Switzerland, Cham (2022)

  31. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

  32. Huang, Z., et al.: Fast adversarial training with adaptive step size. arXiv preprint arXiv:2206.02417 (2022)

  33. Simonyan, K., Vedaldi, A., Zisserman, A.: Deep inside convolutional networks: visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034 (2013)

  34. Selvaraju, R.R., et al.: Grad-cam: Visual explanations from deep networks via gradient-based localization. In: Proceedings of the IEEE International Conference on Computer Vision (2017)

  35. Erhan, D., et al.: Visualizing higher-layer features of a deep network. Univ. Montr. 1341(3), 1 (2009)

    Google Scholar 

  36. Zhang, H., et al.: Theoretically principled trade-off between robustness and accuracy. In: International Conference on Machine Learning. PMLR (2019)

  37. He, K., et al.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (2016)

  38. Zagoruyko, S., Komodakis, N.: Wide residual networks. arXiv preprint arXiv:1605.07146 (2016)

  39. Huang, Q., et al.: Enhancing adversarial example transferability with an intermediate level attack. In: Proceedings of the IEEE/CVF International Conference on Computer Vision (2019)

  40. Xiong, Y., et al.: Stochastic variance reduced ensemble adversarial attack for boosting the adversarial transferability. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (2022)

  41. Long, Y., et al.: Frequency domain model augmentation for adversarial attack. In: Computer Vision-ECCV 2022: 17th European Conference, Part IV. Springer Nature Switzerland, Cham (2022)

  42. Carlini, N., Wagner, D.: Adversarial examples are not easily detected: bypassing ten detection methods. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (2017)

  43. Croce, F., Hein, M.: Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: International Conference on Machine Learning. PMLR (2020)

  44. Zhang, Y., et al.: Revisiting and advancing fast adversarial training through the lens of bi-level optimization. In: International Conference on Machine Learning. PMLR (2022)

  45. Wang, Yi., et al.: Improving adversarial robustness requires revisiting misclassified examples. In: International Conference on Learning Representations (2020)

  46. Zhang, J., et al.: Geometry-aware instance-reweighted adversarial training. arXiv preprint arXiv:2010.01736 (2020)

  47. Addepalli, S., Jain, S.: Efficient and effective augmentation strategy for adversarial training. Adv. Neural. Inf. Process. Syst. 35, 1488-1501 (2022)

Download references

Author information

Authors and Affiliations

  1. College of Intelligence and Computing, Tianjin University, Tianjin, China

    Shibin Liu & Yahong Han

Authors
  1. Shibin Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yahong Han
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yahong Han.

Ethics declarations

Conflict of interest

All authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The original online version of this article was revised: the biographie of Yahong Han was not correct.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, S., Han, Y. ATRA: Efficient adversarial training with high-robust area. Vis Comput 40, 3649–3661 (2024). https://doi.org/10.1007/s00371-023-03057-9

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00371-023-03057-9

Keywords

Search

Navigation