关键词: 关键词: 深度学习, 对抗样本, 对抗防御, 数据增强, 标签噪声

Abstract: Abstract: Adversarial training has been an effective defense mechanism for protecting classification models against adversarial attacks. However, the generation of strong adversarial samples during the training process incurred a high computational cost, potentially requiring significantly more training time. To overcome this limitation, fast adversarial training based on single-step attacks was explored. Previous work improved fast adversarial training from different perspectives, such as sample initialization, loss regularization, and training strategies. However, catastrophic overfitting was encountered when dealing with large perturbation budgets. A fast adversarial training method based on data augmentation with label noise is proposed to solve this difficulty. Initially, multiple image transformations are performed on the original samples and random noise is introduced to implement data enhancement; next, a small amount of label noise is injected; then the enhanced data was used to generate adversarial samples for model training; and finally, the label noise rate was adaptively adjusted according to the results of the adversarial robustness test. The comprehensive experimental results on the CIFAR-10 and CIFAR-100 datasets show that compared to FGSM-MEP(Fast Gradient Sign Method with prior from the Momentum of all Previous Epoch), the proposed method improves 4.63 and 5.38 percentage points on the AA(AutoAttack) on the two datasets under the condition of large perturbation budget, respectively. It is experimentally demonstrated that the newly proposed scheme can effectively handle the catastrophic overfitting problem under large perturbation budgets and significantly enhance the adversarial robustness of the model.

Key words: Keywords: deep learning, adversarial example, adversarial defense, data augmentation, label noise