TY - JOUR
T1 - NoiLIn
T2 - Improving Adversarial Training and Correcting Stereotype of Noisy Labels
AU - Zhang, Jingfeng
AU - Xu, Xilie
AU - Han, Bo
AU - Liu, Tongliang
AU - Cui, Lizhen
AU - Niu, Gang
AU - Sugiyama, Masashi
N1 - Funding information:
JZ was supported by JST Strategic Basic Research Programs, ACT-X, Grant No. JPMJAX21AF and JSPS Grants-in-Aid for Scientific Research (KAKENHI), Early-Career Scientists, Grant No. 22K17955, Japan. BH was supported by the RGC Early Career Scheme No. 22200720, NSFC Young Scientists Fund No. 62006202, Guangdong Basic and Applied Basic Research Foundation No. 2022A1515011652, RIKEN Collaborative Research Fund and HKBU CSD Departmental Incentive Grant. LTL was partially supported by the Australian Research Council Project DP180103424, DE190101473, IC190100031, DP220102121. LC was supported by the National Key R&D Program of China No. 2021YFF0900800, NSFC No.91846205, SDNSFC No.ZR2019LZH008, Shandong Provincial Key Research and Development Program (Major Scientific and Technological Innovation Project) No.2021CXGC010108. MS was supported by JST AIP Acceleration Research Grant Number JP- MJCR20U3 and the Institute for AI and Beyond, UTokyo
PY - 2022/6
Y1 - 2022/6
N2 - Adversarial training (AT) formulated as the minimax optimization problem can effectively enhance the model's robustness against adversarial attacks. The existing AT methods mainly focused on manipulating the inner maximization for generating quality adversarial variants or manipulating the outer minimization for designing effective learning objectives. However, empirical results of AT always exhibit the robustness at odds with accuracy and the existence of the cross-over mixture problem, which motivates us to study some label randomness for benefiting the AT. First, we thoroughly investigate noisy labels (NLs) injection into AT's inner maximization and outer minimization, respectively and obtain some observations on when NL injection benefits AT. Second, based on the observations, we propose a simple but effective method---NoiLIn that randomly injects NLs into training data at each training epoch and dynamically increases the NL injection rate once robust overfitting occurs. Empirically, NoiLIn can significantly mitigate the AT's undesirable issue of robust overfitting and even further improve the generalization of the state-of-the-art AT methods. Philosophically, NoiLIn sheds light on a new perspective of learning with NLs: NLs should not always be deemed detrimental, and even in the absence of NLs in the training set, we may consider injecting them deliberately.
AB - Adversarial training (AT) formulated as the minimax optimization problem can effectively enhance the model's robustness against adversarial attacks. The existing AT methods mainly focused on manipulating the inner maximization for generating quality adversarial variants or manipulating the outer minimization for designing effective learning objectives. However, empirical results of AT always exhibit the robustness at odds with accuracy and the existence of the cross-over mixture problem, which motivates us to study some label randomness for benefiting the AT. First, we thoroughly investigate noisy labels (NLs) injection into AT's inner maximization and outer minimization, respectively and obtain some observations on when NL injection benefits AT. Second, based on the observations, we propose a simple but effective method---NoiLIn that randomly injects NLs into training data at each training epoch and dynamically increases the NL injection rate once robust overfitting occurs. Empirically, NoiLIn can significantly mitigate the AT's undesirable issue of robust overfitting and even further improve the generalization of the state-of-the-art AT methods. Philosophically, NoiLIn sheds light on a new perspective of learning with NLs: NLs should not always be deemed detrimental, and even in the absence of NLs in the training set, we may consider injecting them deliberately.
UR - https://www.jmlr.org/tmlr/papers/
M3 - Journal article
SN - 2835-8856
JO - Transactions on Machine Learning Research
JF - Transactions on Machine Learning Research
ER -