Attacks which do not kill training make adversarial learning stronger

Jingfeng Zhang; Xilie Xu; Bo Han; Gang Niu; Lizhen Cui; Masashi Sugiyama; Mohan Kankanhalli

Attacks which do not kill training make adversarial learning stronger

Jingfeng Zhang^*, Xilie Xu, Bo Han, Gang Niu, Lizhen Cui, Masashi Sugiyama, Mohan Kankanhalli

^*Corresponding author for this work

Department of Computer Science

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

141 Citations (Scopus)

Abstract

Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. However, it is conservative or even pessimistic so that it sometimes hurts the natural generalization. In this paper, we raise a fundamental question do we have to trade off natural generalization for adversarial robustness? We argue that adversarial training is to employ confident adversarial data for updating the current model. We propose a novel formulation of friendly adversarial training (FAT): rather than employing most adversarial data maximizing the loss, we search for least adversarial data (i.e., friendly adversarial data) minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, early-stopped PGD allows us to answer the earlier question negatively adversarial robustness can indeed be achieved without compromising the natural generalization.

Original language	English
Title of host publication	Proceedings of the 37th International Conference on Machine Learning, ICML 2020
Editors	Hal Daumé III, Aarti Singh
Publisher	ML Research Press
Pages	11214-11224
Number of pages	11
ISBN (Electronic)	9781713821120
Publication status	Published - Jul 2020
Event	37th International Conference on Machine Learning, ICML 2020 - Virtual, Online Duration: 13 Jul 2020 → 18 Jul 2020 https://proceedings.mlr.press/v119/

Publication series

Name	Proceedings of Machine Learning Research
Volume	119
ISSN (Print)	2640-3498

Conference

Conference	37th International Conference on Machine Learning, ICML 2020
Period	13/07/20 → 18/07/20
Internet address	https://proceedings.mlr.press/v119/

Scopus Subject Areas

Computational Theory and Mathematics
Human-Computer Interaction
Software

Access to Document

http://proceedings.mlr.press/v119/zhang20z/zhang20z.pdf

Cite this

Zhang, J., Xu, X., Han, B., Niu, G., Cui, L., Sugiyama, M., & Kankanhalli, M. (2020). Attacks which do not kill training make adversarial learning stronger. In H. Daumé III, & A. Singh (Eds.), Proceedings of the 37th International Conference on Machine Learning, ICML 2020 (pp. 11214-11224). (Proceedings of Machine Learning Research; Vol. 119). ML Research Press. http://proceedings.mlr.press/v119/zhang20z/zhang20z.pdf

@inproceedings{f13a1d3532c84948adcd189589ed541f,

title = "Attacks which do not kill training make adversarial learning stronger",

abstract = "Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. However, it is conservative or even pessimistic so that it sometimes hurts the natural generalization. In this paper, we raise a fundamental question do we have to trade off natural generalization for adversarial robustness? We argue that adversarial training is to employ confident adversarial data for updating the current model. We propose a novel formulation of friendly adversarial training (FAT): rather than employing most adversarial data maximizing the loss, we search for least adversarial data (i.e., friendly adversarial data) minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, early-stopped PGD allows us to answer the earlier question negatively adversarial robustness can indeed be achieved without compromising the natural generalization.",

author = "Jingfeng Zhang and Xilie Xu and Bo Han and Gang Niu and Lizhen Cui and Masashi Sugiyama and Mohan Kankanhalli",

note = "Funding Information: This research is supported by the National Research Foundation, Singapore under its Strategic Capability Research Centres Funding Initiative (MK, JZ), JST AIP Acceleration Research Grant Number JPMJCR20U3, Japan (GN, MS), National Key R&D Program No.2017YFB1400100, the NSFC No.91846205, the Shandong Key R&D Program No.2018YFJH0506 (LC), the Early Career Scheme (ECS) through the Research Grants Council of Hong Kong under Grant No.22200720 (BH), HKBU Tier-1 Start-up Grant (BH) and HKBU CSD Start-up Grant (BH). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore.; 37th International Conference on Machine Learning, ICML 2020 ; Conference date: 13-07-2020 Through 18-07-2020",

year = "2020",

month = jul,

language = "English",

series = "Proceedings of Machine Learning Research",

publisher = "ML Research Press",

pages = "11214--11224",

editor = "{Daum{\'e} III}, Hal and Aarti Singh",

booktitle = "Proceedings of the 37th International Conference on Machine Learning, ICML 2020",

url = "https://proceedings.mlr.press/v119/",

}

Zhang, J, Xu, X, Han, B, Niu, G, Cui, L, Sugiyama, M & Kankanhalli, M 2020, Attacks which do not kill training make adversarial learning stronger. in H Daumé III & A Singh (eds), Proceedings of the 37th International Conference on Machine Learning, ICML 2020. Proceedings of Machine Learning Research, vol. 119, ML Research Press, pp. 11214-11224, 37th International Conference on Machine Learning, ICML 2020, 13/07/20. <http://proceedings.mlr.press/v119/zhang20z/zhang20z.pdf>

Attacks which do not kill training make adversarial learning stronger. / Zhang, Jingfeng; Xu, Xilie; Han, Bo et al.
Proceedings of the 37th International Conference on Machine Learning, ICML 2020. ed. / Hal Daumé III; Aarti Singh. ML Research Press, 2020. p. 11214-11224 (Proceedings of Machine Learning Research; Vol. 119).

Research output: Chapter in book/report/conference proceeding › Conference proceeding › peer-review

TY - GEN

T1 - Attacks which do not kill training make adversarial learning stronger

AU - Zhang, Jingfeng

AU - Xu, Xilie

AU - Han, Bo

AU - Niu, Gang

AU - Cui, Lizhen

AU - Sugiyama, Masashi

AU - Kankanhalli, Mohan

N1 - Funding Information: This research is supported by the National Research Foundation, Singapore under its Strategic Capability Research Centres Funding Initiative (MK, JZ), JST AIP Acceleration Research Grant Number JPMJCR20U3, Japan (GN, MS), National Key R&D Program No.2017YFB1400100, the NSFC No.91846205, the Shandong Key R&D Program No.2018YFJH0506 (LC), the Early Career Scheme (ECS) through the Research Grants Council of Hong Kong under Grant No.22200720 (BH), HKBU Tier-1 Start-up Grant (BH) and HKBU CSD Start-up Grant (BH). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore.

PY - 2020/7

Y1 - 2020/7

N2 - Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. However, it is conservative or even pessimistic so that it sometimes hurts the natural generalization. In this paper, we raise a fundamental question do we have to trade off natural generalization for adversarial robustness? We argue that adversarial training is to employ confident adversarial data for updating the current model. We propose a novel formulation of friendly adversarial training (FAT): rather than employing most adversarial data maximizing the loss, we search for least adversarial data (i.e., friendly adversarial data) minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, early-stopped PGD allows us to answer the earlier question negatively adversarial robustness can indeed be achieved without compromising the natural generalization.

AB - Adversarial training based on the minimax formulation is necessary for obtaining adversarial robustness of trained models. However, it is conservative or even pessimistic so that it sometimes hurts the natural generalization. In this paper, we raise a fundamental question do we have to trade off natural generalization for adversarial robustness? We argue that adversarial training is to employ confident adversarial data for updating the current model. We propose a novel formulation of friendly adversarial training (FAT): rather than employing most adversarial data maximizing the loss, we search for least adversarial data (i.e., friendly adversarial data) minimizing the loss, among the adversarial data that are confidently misclassified. Our novel formulation is easy to implement by just stopping the most adversarial data searching algorithms such as PGD (projected gradient descent) early, which we call early-stopped PGD. Theoretically, FAT is justified by an upper bound of the adversarial risk. Empirically, early-stopped PGD allows us to answer the earlier question negatively adversarial robustness can indeed be achieved without compromising the natural generalization.

UR - http://www.scopus.com/inward/record.url?scp=85105322490&partnerID=8YFLogxK

UR - https://proceedings.mlr.press/v119/zhang20z.html

M3 - Conference proceeding

AN - SCOPUS:85105322490

T3 - Proceedings of Machine Learning Research

SP - 11214

EP - 11224

BT - Proceedings of the 37th International Conference on Machine Learning, ICML 2020

A2 - Daumé III, Hal

A2 - Singh, Aarti

PB - ML Research Press

T2 - 37th International Conference on Machine Learning, ICML 2020

Y2 - 13 July 2020 through 18 July 2020

ER -

Attacks which do not kill training make adversarial learning stronger

Abstract

Publication series

Conference

Scopus Subject Areas

Access to Document

Other files and links

Fingerprint

Cite this