Deep neural networks have achieved remarkable success in a variety of fields and have been widely used in areas where reliability and security are critical, such as medical image processing [shen2017deep], autonomous driving [grigorescu2020survey]
, and face recognition[sharif2017adversarial]. Unfortunately, recent studies [fgsm, madry2018towards] have shown that artificially adding an imperceptible adversarial perturbation to the input image can significantly reduce the recognition ability of the neural network or guide the neural network to identify it as the characteristic wrong target. In addition to artificially designed adversarial examples, there are various common corruptions [hendrycks2019benchmarking] and occlusions [devries2017improved] in real-world environments that also affect the robustness and reliability of neural networks.
Many methods [fgsm, madry2018towards, dabouei2020exploiting, zhang2019theoretically, lamb2019interpolated] have recently been proposed for defending against adversarial attacks. Among such defense methods, adversarial training has proven to be one of the most promising methods [madry2018towards, zhang2019theoretically, lamb2019interpolated]. However, adversarial training also has a huge drawback in that it drastically reduces the generalization ability of neural networks on the original data [madry2018towards, zhang2019theoretically]. Furthermore, we find that adversarial training is similarly detrimental to occlusion robustness. Previous studies [schmidt2018adversarially, engstrom2019exploring] have also shown that improving one specific robustness is not necessarily beneficial or even harmful to another specific robustness. In our experiments, we can also discover that CutMix [cutmix] can effectively enhance the occlusion robustness but is detrimental to noise robustness and adversarial robustness. However, for security-sensitive applications in practice, we cannot consider only a single specific robustness, but multiple aspects of robustness and generalization performance of neural network models.
To address the above issues, we propose AugRmixAT, a new data processing and training method that can simultaneously improve the multiple robustness and generalization performance of neural network models. AugRmixAT utilizes traditional data augmentation, mixed data augmentation [mixup, cutmix, harris2020fmix, qin2020resizemix] between different samples, and data augmentation with added adversarial perturbation to process and generate multiple different sets of augmented data. To ensure the generalization performance on clean data (standard test data), AugRmixAT uses both soft cross-entropy and Jensen-Shannon divergence [endres2003new] consistent loss to train multiple sets of augmented data in a surrogate manner. Finally, we experimented on CIFAR-10/100 and Tiny-ImageNet [chrabaszcz2017downsampled] and showed that AugRmixAT can simultaneously improve white-box robustness, black-box robustness, 19 common corruption robustness on CIFAR-10/100, 15 common corruption robustness on Tiny-ImageNet, partial occlusion robustness, and generalization performance on clean data.
2 Related Work
Data Augmentation. Data augmentation is a very practical and powerful technique to increase the diversity of training datasets, enhance the generalization ability of neural networks and prevent overfitting [bishop2006pattern]
. For instance, some of the most commonly used data augmentations in computer vision are geometric transformations, flipping, color modification, cropping, rotation, translation, noise injection and random erasing[shorten2019survey]. Recently, mixed sample data augmentation methods have gained tremendous attention and a series of mixed sample data augmentation methods [mixup, cutmix, harris2020fmix, qin2020resizemix] have been proposed. Mixup [mixup] is the first proposed mixed sample data augmentation that mixes two different samples in a convex combination to generate a new training sample and corresponding label. Combining the ideas of Mixup and Cutout [devries2017improved], CutMix [cutmix] uses cutting and pasting patches between training images for mixing, and ground truth labels are also proportionally mixed with patch regions. Fmix [harris2020fmix] uses a random binary mask obtained by applying a threshold to low-frequency images sampled from Fourier space to further improve the shape of CutMix mixed patches. To solve the problem of label misallocation and object information missing in CutMix, ResizeMix [qin2020resizemix] mixes training data by directly resizing the source image to a small patch and then pasting it on another image. AugMix [hendrycks2020augmix] is proposed to improve both the generalization performance and the corruption robustness by mixing common data augmentation.
Adversarial Training (AT). Adversarial training, which augments training dataset with adversarial examples, is one of the most effective methods of defending against adversarial attacks [fgsm, madry2018towards, zhang2019theoretically, lamb2019interpolated]. Therefore, we can also consider adversarial training as a data augmentation technique. Goodfellow et al. [fgsm] proposed the Fast Gradient Sign Method (FGSM), which is a simple and fast method to generate adversarial examples for adversarial training. Projected Gradient Descent (PGD) [madry2018towards] adversarial training leverages the PGD attack to generate adversarial examples and trains only with the adversarial examples. Zhang et al. [zhang2019theoretically] proposed TRADES to specifically maximize the trade-off of adversarial training between adversarial robustness and standard accuracy. Lamb et al. [lamb2019interpolated]
proposed Interpolated Adversarial Training(IAT), which trains on interpolations of adversarial examples along with interpolations of unperturbed examples and improves adversarial robustness without sacrificing too much standard accuracy.
Previous data augmentation [mixup, cutmix, hendrycks2020augmix] and adversarial training [madry2018towards, zhang2019theoretically, lamb2019interpolated] methods can effectively improve specific robustness or generalization performance, but they are difficult to improve multiple robustness and generalization abilities of deep neural network models simultaneously. In particular, most adversarial training [madry2018towards, zhang2019theoretically, lamb2019interpolated] tends to sacrifice standard accuracy when enhancing adversarial robustness. AugRmixAT is an image data processing and training method that can simultaneously improve multiple robustness and generalization performance of models and is easy to slot into existing training pipelines. Figure 1 shows an example of AugRmixAT. First, a batch of input images is used to generate data by “Augment And Mix” data augmentation and to generate adversarial samples by adding adversarial perturbations, respectively. Next, , , and are processed with mixed sample data augmentation to generate , , and . The corresponding mixed labels are also generated using the labels . Finally, we use a soft cross-entropy loss and Jensen-Shannon divergence consistent loss to train , , and .
Augment And Mix. We use the same “Augment And Mix” operation as AugMix [hendrycks2020augmix]. The “Augment And Mix” operation starts by randomly selecting multiple augmentations from the base augmentation set to form multiple augmentation chains and producing multiple augmentation samples through the augmentation chains. Then, multiple augmentation samples are mixed through a random convex combination sampled from a Dirichlet() distribution. Finally, we combine this mixed sample with the original sample through a second random convex combination sampled from a Bata() distribution. In the experiment, we put to 1 and the number of augmentation chains to 3. Each augmentation chain consists of 1 to 3 random base augmentation operations. Our base data augmentation set contains , , , , , .
Adversarial examples. We apply PGD [madry2018towards] adversarial attacks to generate adversarial examples, which can be expressed as
whereis the adversarial perturbation budget, is the perturbation step size, represents a neighborhood of , is the sign function,
is the KL divergence loss function,denotes the neural network with parameters .
Mixed Sample Data Augmentation. To further obtain more diverse training data, we simultaneously perform the same mixed sample data augmentation operation on the original images , the “Augment And Mix” enhanced images , and the adversarial examples . In our work, we integrate multiple mixed sample data augmentation [madry2018towards, zhang2019theoretically, lamb2019interpolated] in a randomly chosen manner. Our mixed sample data augmentation operates as follows,
where is the random permutation function, is the random choice function, is the corresponding mixing ratio.
Loss Function. To ensure the generalization ability of the model and to improve the robustness of the model, we use the Jensen-Shannon divergence consistent loss function to train the mixed “Augment And Mix” enhanced data and mixed adversarial examples in a surrogate manner. Our loss function is defined as
are two regularization hyperparameters. The detailed algorithm is described in Algorithm Block1.
4.1 Implementation Details
We use the same neural network architecture as in previous works [madry2018towards, zhang2019theoretically], i.e., WideResNet-34-10 [zagoruyko2016wide], for experiments on CIFAR-10/100 and PreAct-ResNet18 [he2016identity] for experiments on Tiny-ImageNet [chrabaszcz2017downsampled]
. Except for the different neural network architecture, other settings and hyperparameters are the same for all datasets. We apply the momentum stochastic gradient descent optimizer on both CIFAR-10/100 and Tiny-ImageNet. The initial learning rate is set to 0.1 and decays with the cosine annealing schedule[2016SGDR]. We set the momentum as 0.9 and use the weight decay of . The batch size for training is set to
and the maximum number of epochs is set to 200. The following is the setting of our main comparison method in the experiment.
Standard: The model trained on the original data does not use any data augmentation methods.
Mixup, CutMix, AugMix: The models trained using data augmentation methods Mixup [mixup], CutMix [cutmix] and AugMix [hendrycks2020augmix] respectively.
PGDAT, TRADES, IAT: The models trained using PGD Adversarial Training (PGDAT) [madry2018towards], TRADES [zhang2019theoretically], and Interpolated Adversarial Training (IAT) [lamb2019interpolated] respectively, where the perturbation budget are set to 0.031, the perturbation step size are set to 0.007, and the number of iterations are set to 10. The way of combining examples in IAT is Mixup.
AugRmixAT-1-1, AugRmixAT-1-32: The models trained using our proposed method, in which the perturbation budget , the perturbation step size , and the number of iterations are set the same as in PGDAT, TRADES, and IAT. “-1-1” means . “-1-32” means .
Additionally, all experiments were implemented and evaluated on the PyTorch[paszke2017automatic] platform with four NVIDIA Tesla V100 GPUs.
Evaluation on White-box Robustness. The results of the white-box robustness on CIFAR-10 are shown in Table 2. We evaluate the robustness of all models against three types of white-box attacks for CIFAR-10, i.e., FGSM [fgsm], PGD [madry2018towards], and CW [carlini2017towards] (PGD with CW loss). For FGSM, we set the perturbation budget as 0.031. For PGD10, PGD20, and CW20, we set the perturbation budget to 0.031 and the perturbation step size to 0.003. PGD10 set the number of iterations as 10. PGD20 and CW20 set the number of iterations as 20.
We can see from Table 2 that all the compared adversarial training methods reduce the Clean accuracy, but the AugRmixAT-1-1 model trained by our method can improve the Clean accuracy. Moreover, it is 1.05% higher than the Mixup. Under the FSGM attack, the AugRmixAT-1-1 model has the best robust accuracy. Under the attacks of PGD10, PGD20 and CW20 respectively, the AugRmixAT-1-32 model achieves the best robust accuracy. In particular, the robust accuracy rate on PGD20 of the AugRmixAT-1-32 model is 6.39% higher than PGDAT, 5.71% higher than TRADES (), and 4.01% higher than IAT.
Evaluation on Black-box Robustness. We use transfer-based black-box attacks [papernot2017practical] to evaluate the black-box robustness of the model. We first use each trained model to construct adversarial examples by PGD and then apply these adversarial examples to other models and evaluate their performance. We set the perturbation budget as 0.031, the perturbation step size as 0.003, and the number of iterations as 10. The results of the black-box robustness on CIFAR-10 are reported in Table 3. Again, the AugRmixAT-1-1 model trained by our method achieves higher robustness than the other models.
Evaluation on Common Corruptions Robustness. We evaluate the robustness of various common corruptions on the CIFAR-10-C [hendrycks2019benchmarking], which consists of 19 types of corruption. Moreover, each type of corruption has 5 levels of severity.
Following prior works [hendrycks2019benchmarking, hendrycks2020augmix], we adopt Corruption Error (CE) [hendrycks2019benchmarking] to measure the common corruption robustness and mCE denotes the mean Corruption Error of the 19 corruption. As shown in Table 1, the AugRmixAT-1-1 model trained by our proposed method achieves the lowest CE on 15 of 19 common corruptions. Moreover, the mCE of AugRmixAT-1-1 is also the lowest, 0.77% lower than Augmix, 15.15% lower than Standard, 14.84% lower than PGDAT, and 4.71% lower than IAT.
Evaluation on Partial Occlusion Robustness. Compared to corruption and adversarial example attacks, partial occlusion should be more common. We use untargeted random partial occlusion and targeted random partial occlusion to evaluate the robustness of the model under partial occlusion attacks. Untargeted occlusion blocks are filled with 0 and targeted occlusion blocks are from other objects. For untargeted partial occlusion we used the Top1 robust accuracy metric and for targeted partial occlusion we used the Top2 robust accuracy. From Table 4, we can find that the previous adversarial training methods PGDAT, TRADES and IAT are difficult to defend against partial occlusion attacks and are even detrimental to the robustness of partial occlusion. In contrast, our method can not only effectively improve both targeted and untargeted occlusion robust accuracy, but also has a robust accuracy rate of 0.09% higher than CutMix in the untargeted occlusion and 1.07% higher than CutMix in the targeted occlusion. Furthermore, AugRmixAT-1-1 achieves the best performance under partial occlusion attacks, and far outperformed the models trained by other adversarial training methods.
|White-box attacks||Black-box attacks|
|White-box attacks||Black-box attacks|
4.3 CIFAR-100 and Tiny-ImageNet
We also verify the effectiveness of our method on CIFAR-100 and Tiny-ImageNet. The results are presented in Table 5. In Tables 5, “Corr” is the common corruptions robustness, evaluated using the mean corruption accuracy (mCAmCE), “Occ” is the partial occlusion robustness, evaluated using the mean of Top1 untargeted occlusion robust accuracy and Top2 targeted occlusion robust accuracy. The other settings are the same as on the CIFAR-10.
4.4 Sensitivity of hyperparameters and
We apply PreAct-ResNet18 [he2016identity] to implement regularization hyperparameters and sensitivity experiments on CIFAR-10. The other settings are the same as the above experiments. We can observe from Table 6 that as the hyperparameters parameter increases, the common corruptions robust accuracy increases while the adversarial robust accuracy decreases. Moreover, as the hyperparameters parameter increases, the clean accuracy, the common corruptions robust accuracy, and the partial occlusion robust accuracy decrease while the adversarial robust accuracy increases. This also verifies that when improving only one specific robustness, it is often detrimental to the robustness of another one or more. In practical applications, we recommend setting both regularization hyperparameters and to 1, which can effectively improve the generalization performance and multiple robustness of the model.
We propose AugRmixAT, which is a new image data processing and training method. Unlike previous data augmentation and adversarial training, our method not only improves the generalization performance of neural network models but also improves a variety of robustness including white-box robustness, black-box robustness, common corruption robustness, and partial occlusion robustness. Moreover, AugRmixAT can be easily inserted into existing training pipelines, and we believe it can make neural networks used in real-world applications more reliable and secure.