在过去的几年中，卷积神经网络（CNN）一直是广泛的计算机视觉任务中的主导神经架构。从图像和信号处理的角度来看，这一成功可能会令人惊讶，因为大多数CNN的固有空间金字塔设计显然违反了基本的信号处理法，即在其下采样操作中对定理进行采样。但是，由于不良的采样似乎不影响模型的准确性，因此在模型鲁棒性开始受到更多关注之前，该问题已被广泛忽略。最近的工作[17]在对抗性攻击和分布变化的背景下，毕竟表明，CNN的脆弱性与不良下降采样操作引起的混叠伪像之间存在很强的相关性。本文以这些发现为基础，并引入了一个可混合的免费下采样操作，可以轻松地插入任何CNN体系结构：频lowcut池。我们的实验表明，结合简单而快速的FGSM对抗训练，我们的超参数无操作员显着提高了模型的鲁棒性，并避免了灾难性的过度拟合。

Despite the success of convolutional neural networks (CNNs) in many academic benchmarks for computer vision tasks, their application in the real-world is still facing fundamental challenges. One of these open problems is the inherent lack of robustness, unveiled by the striking effectiveness of adversarial attacks. Current attack methods are able to manipulate the network's prediction by adding specific but small amounts of noise to the input. In turn, adversarial training (AT) aims to achieve robustness against such attacks and ideally a better model generalization ability by including adversarial samples in the trainingset. However, an in-depth analysis of the resulting robust models beyond adversarial robustness is still pending. In this paper, we empirically analyze a variety of adversarially trained models that achieve high robust accuracies when facing state-of-the-art attacks and we show that AT has an interesting side-effect: it leads to models that are significantly less overconfident with their decisions, even on clean data than non-robust models. Further, our analysis of robust models shows that not only AT but also the model's building blocks (like activation functions and pooling) have a strong influence on the models' prediction confidences. Data & Project website: https://github.com/GeJulia/robustness_confidences_evaluation

标准化技术已成为现代卷积神经网络（Convnets）中的基本组件。特别是，许多最近的作品表明，促进重量的正交性有助于培训深层模型并提高鲁棒性。对于Courmnets，大多数现有方法基于惩罚或归一化矩阵判断或施加卷积核的重量矩阵。这些方法经常摧毁或忽视核的良性卷积结构;因此，对于深扫描器来说，它们通常是昂贵或不切实际的。相比之下，我们介绍了一种简单富有高效的“卷积归一化”（ConvNORM）方法，可以充分利用傅立叶域中的卷积结构，并用作简单的即插即用模块，以方便地结合到任何围栏中。我们的方法是通过最近关于卷积稀疏编码的预处理方法的工作启发，可以有效地促进每个层的频道方向等距。此外，我们表明我们的判断可以降低重量矩阵的层状频谱标准，从而改善网络的嘴唇，导致培训更容易培训和改善深扫描器的鲁棒性。在噪声损坏和生成的对抗网络（GAN）下应用于分类，我们表明CONVNOMOL提高了常见扫描仪（如RENET和GAN性能）的稳健性。我们通过Cifar和Imagenet的数值实验验证了我们的研究结果。

对抗性训练遭受了稳健的过度装备，这是一种现象，在训练期间鲁棒测试精度开始减少。在本文中，我们专注于通过使用常见的数据增强方案来减少强大的过度装备。我们证明，与先前的发现相反，当与模型重量平均结合时，数据增强可以显着提高鲁棒精度。此外，我们比较各种增强技术，并观察到空间组合技术适用于对抗性培训。最后，我们评估了我们在Cifar-10上的方法，而不是$ \ ell_ indty $和$ \ ell_2 $ norm-indeded扰动分别为尺寸$ \ epsilon = 8/255 $和$ \ epsilon = 128/255 $。与以前的最先进的方法相比，我们表现出+ 2.93％的绝对改善+ 2.93％，+ 2.16％。特别是，反对$ \ ell_ infty $ norm-indeded扰动尺寸$ \ epsilon = 8/255 $，我们的模型达到60.07％的强劲准确性而不使用任何外部数据。我们还通过这种方法实现了显着的性能提升，同时使用其他架构和数据集如CiFar-100，SVHN和TinyimageNet。

Adversarial training, a method for learning robust deep networks, is typically assumed to be more expensive than traditional training due to the necessity of constructing adversarial examples via a first-order method like projected gradient decent (PGD). In this paper, we make the surprising discovery that it is possible to train empirically robust models using a much weaker and cheaper adversary, an approach that was previously believed to be ineffective, rendering the method no more costly than standard training in practice. Specifically, we show that adversarial training with the fast gradient sign method (FGSM), when combined with random initialization, is as effective as PGD-based training but has significantly lower cost. Furthermore we show that FGSM adversarial training can be further accelerated by using standard techniques for efficient training of deep networks, allowing us to learn a robust CIFAR10 classifier with 45% robust accuracy to PGD attacks with = 8/255 in 6 minutes, and a robust ImageNet classifier with 43% robust accuracy at = 2/255 in 12 hours, in comparison to past work based on "free" adversarial training which took 10 and 50 hours to reach the same respective thresholds. Finally, we identify a failure mode referred to as "catastrophic overfitting" which may have caused previous attempts to use FGSM adversarial training to fail. All code for reproducing the experiments in this paper as well as pretrained model weights are at https://github.com/locuslab/fast_adversarial.

深度神经网络很容易被称为对抗攻击的小扰动都愚弄。对抗性培训（AT）是一种近似解决了稳健的优化问题，以最大限度地减少最坏情况损失，并且被广泛认为是对这种攻击的最有效的防御。由于产生了强大的对抗性示例的高计算时间，已经提出了单步方法来减少培训时间。然而，这些方法遭受灾难性的过度装备，在训练期间侵犯准确度下降。虽然提出了改进，但它们增加了培训时间和稳健性远非多步骤。我们为FW优化（FW-AT）开发了对抗的对抗培训的理论框架，揭示了损失景观与$ \ ell_2 $失真之间的几何连接。我们分析地表明FW攻击的高变形相当于沿攻击路径的小梯度变化。然后在各种深度神经网络架构上进行实验证明，$ \ ell \ infty $攻击对抗强大的模型实现近乎最大的$ \ ell_2 $失真，而标准网络具有较低的失真。此外，实验表明，灾难性的过度拟合与FW攻击的低变形强烈相关。为了展示我们理论框架的效用，我们开发FW-AT-Adap，这是一种新的逆势训练算法，它使用简单的失真度量来调整攻击步骤的数量，以提高效率而不会影响鲁棒性。 FW-AT-Adapt提供培训时间以单步快速分配方法，并改善了在白色盒子和黑匣子设置中的普发内精度的最小损失和多步PGD之间的差距。

Aliasing is a highly important concept in signal processing, as careful consideration of resolution changes is essential in ensuring transmission and processing quality of audio, image, and video. Despite this, up until recently aliasing has received very little consideration in Deep Learning, with all common architectures carelessly sub-sampling without considering aliasing effects. In this work, we investigate the hypothesis that the existence of adversarial perturbations is due in part to aliasing in neural networks. Our ultimate goal is to increase robustness against adversarial attacks using explainable, non-trained, structural changes only, derived from aliasing first principles. Our contributions are the following. First, we establish a sufficient condition for no aliasing for general image transformations. Next, we study sources of aliasing in common neural network layers, and derive simple modifications from first principles to eliminate or reduce it. Lastly, our experimental results show a solid link between anti-aliasing and adversarial attacks. Simply reducing aliasing already results in more robust classifiers, and combining anti-aliasing with robust training out-performs solo robust training on $L_2$ attacks with none or minimal losses in performance on $L_{\infty}$ attacks.

最近，Wong等人。表明，使用单步FGSM的对抗训练导致一种名为灾难性过度拟合（CO）的特征故障模式，其中模型突然变得容易受到多步攻击的影响。他们表明，在FGSM（RS-FGSM）之前添加随机扰动似乎足以防止CO。但是，Andriushchenko和Flammarion观察到RS-FGSM仍会导致更大的扰动，并提出了一个昂贵的常规化器（Gradalign），DEMATER（GARGALIGN）DES昂贵（Gradalign）Dust Forrasiniger（Gradalign）Dust co避免在这项工作中，我们有条不紊地重新审视了噪声和剪辑在单步对抗训练中的作用。与以前的直觉相反，我们发现在干净的样品周围使用更强烈的噪声与不剪接相结合在避免使用大扰动半径的CO方面非常有效。基于这些观察结果，我们提出了噪声-FGSM（N-FGSM），尽管提供了单步对抗训练的好处，但在大型实验套件上没有经验分析，这表明N-FGSM能够匹配或超越以前的单步方法的性能，同时达到3 $ \ times $加速。代码可以在https://github.com/pdejorge/n-fgsm中找到

通过快速梯度符号方法（FGSM）生成的样品（也称为FGSM-AT）生成的样品是一种计算上的简单方法，可以训练训练强大的网络。然而，在训练过程中，在Arxiv：2001.03994 [CS.LG]中发现了一种不稳定的“灾难性过度拟合”模式，在单个训练步骤中，强大的精度突然下降到零。现有方法使用梯度正规化器或随机初始化技巧来减轻此问题，而它们要么承担高计算成本或导致较低的稳健精度。在这项工作中，我们提供了第一项研究，该研究从三个角度彻底研究了技巧的集合：数据初始化，网络结构和优化，以克服FGSM-AT中的灾难性过度拟合。令人惊讶的是，我们发现简单的技巧，即a）掩盖部分像素（即使没有随机性），b）设置较大的卷积步幅和平滑的激活功能，或c）正规化第一卷积层的重量，可以有效地应对过度拟合问题。对一系列网络体系结构的广泛结果验证了每个提出的技巧的有效性，还研究了技巧的组合。例如，在CIFAR-10上接受了PREACTRESNET-18培训，我们的方法对PGD-50攻击者的准确性为49.8％，并且针对AutoAttack的精度为46.4％，这表明Pure FGSM-AT能够启用健壮的学习者。代码和模型可在https://github.com/ucsc-vlaa/bag-of-tricks-for-for-fgsm-at上公开获得。

对抗性训练（AT）已被证明可以通过利用对抗性示例进行训练来有效地改善模型鲁棒性。但是，大多数方法面对昂贵的时间和计算成本，用于在生成对抗性示例的多个步骤中计算梯度。为了提高训练效率，快速梯度符号方法（FGSM）在方法中仅通过计算一次来快速地采用。不幸的是，鲁棒性远非令人满意。初始化的方式可能引起一个原因。现有的快速在通常使用随机的样本不合时宜的初始化，这促进了效率，但会阻碍进一步的稳健性改善。到目前为止，快速AT中的初始化仍未广泛探索。在本文中，我们以样本依赖性的对抗初始化（即，来自良性图像条件的生成网络的输出及其来自目标网络的梯度信息的输出）快速增强。随着生成网络和目标网络在训练阶段共同优化，前者可以适应相对于后者的有效初始化，从而激发了逐渐改善鲁棒性。在四个基准数据库上进行的实验评估证明了我们所提出的方法比在方法上快速的最先进方法的优越性，以及与方法相当的鲁棒性。该代码在https://github.com//jiaxiaojunqaq//fgsm-sdi上发布。

现代神经网络Excel在图像分类中，但它们仍然容易受到常见图像损坏，如模糊，斑点噪音或雾。最近的方法关注这个问题，例如Augmix和Deepaulment，引入了在预期运行的防御，以期望图像损坏分布。相比之下，$ \ ell_p $ -norm界限扰动的文献侧重于针对最坏情况损坏的防御。在这项工作中，我们通过提出防范内人来调和两种方法，这是一种优化图像到图像模型的参数来产生对外损坏的增强图像的技术。我们理论上激发了我们的方法，并为其理想化版本的一致性以及大纲领提供了足够的条件。我们的分类机器在预期对CiFar-10-C进行的常见图像腐败基准上提高了最先进的，并改善了CIFAR-10和ImageNet上的$ \ ell_p $ -norm有界扰动的最坏情况性能。

快速对抗训练（脂肪）有效地提高了标准对抗训练（SAT）的效率。然而，初始脂肪遇到灾难性的过度拟合，即，对抗性攻击的稳健精度突然并大大减少。尽管有几种脂肪变体毫不费力地防止过度拟合，但他们牺牲了很多计算成本。在本文中，我们探讨了SAT和FAT的训练过程之间的差异，并观察到，对抗性实例（AES）脂肪的攻击成功率在后期训练阶段逐渐变得更糟，从而导致过度拟合。 AE是通过零或随机初始化的快速梯度标志方法（FGSM）生成的。根据观察结果，我们提出了一种先前的FGSM初始化方法，以避免在研究多种初始化策略后避免过度适应，从而在整个训练过程中提高了AE的质量。初始化是通过利用历史上生成的AE而没有额外计算成本而形成的。我们进一步为提出的初始化方法提供了理论分析。我们还基于先前的初始化，即当前生成的扰动不应过多地偏离先前引导的初始化，因此我们还提出了一个简单而有效的正规化程序。正常化器同时采用历史和当前的对抗性扰动来指导模型学习。在四个数据集上进行的评估表明，所提出的方法可以防止灾难性过度拟合和优于最先进的脂肪方法。该代码在https://github.com/jiaxiaojunqaq/fgsm-pgi上发布。

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples-inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. 1

It is common practice in deep learning to use overparameterized networks and train for as long as possible; there are numerous studies that show, both theoretically and empirically, that such practices surprisingly do not unduly harm the generalization performance of the classifier. In this paper, we empirically study this phenomenon in the setting of adversarially trained deep networks, which are trained to minimize the loss under worst-case adversarial perturbations. We find that overfitting to the training set does in fact harm robust performance to a very large degree in adversarially robust training across multiple datasets (SVHN, CIFAR-10, CIFAR-100, and ImageNet) and perturbation models ( ∞ and 2 ). Based upon this observed effect, we show that the performance gains of virtually all recent algorithmic improvements upon adversarial training can be matched by simply using early stopping. We also show that effects such as the double descent curve do still occur in adversarially trained models, yet fail to explain the observed overfitting. Finally, we study several classical and modern deep learning remedies for overfitting, including regularization and data augmentation, and find that no approach in isolation improves significantly upon the gains achieved by early stopping. All code for reproducing the experiments as well as pretrained model weights and training logs can be found at https://github.com/ locuslab/robust_overfitting.

对共同腐败的稳健性的文献表明对逆势培训是否可以提高这种环境的性能，没有达成共识。 First, we show that, when used with an appropriately selected perturbation radius, $\ell_p$ adversarial training can serve as a strong baseline against common corruptions improving both accuracy and calibration.然后，我们解释了为什么对抗性训练比具有简单高斯噪声的数据增强更好地表现，这被观察到是对共同腐败的有意义的基线。与此相关，我们确定了高斯增强过度适用于用于培训的特定标准偏差的$ \ sigma $ -oviting现象，这对培训具有显着不利影响的普通腐败精度。我们讨论如何缓解这一问题，然后如何通过学习的感知图像贴片相似度引入对抗性训练的有效放松来进一步增强$ \ ell_p $普发的培训。通过对CiFar-10和Imagenet-100的实验，我们表明我们的方法不仅改善了$ \ ell_p $普发的培训基线，而且还有累积的收益与Augmix，Deepaulment，Ant和Sin等数据增强方法，导致普通腐败的最先进的表现。我们的实验代码在HTTPS://github.com/tml-epfl/adv-training - 窗子上公开使用。

Adversarial training, in which a network is trained on adversarial examples, is one of the few defenses against adversarial attacks that withstands strong attacks. Unfortunately, the high cost of generating strong adversarial examples makes standard adversarial training impractical on large-scale problems like ImageNet. We present an algorithm that eliminates the overhead cost of generating adversarial examples by recycling the gradient information computed when updating model parameters.Our "free" adversarial training algorithm achieves comparable robustness to PGD adversarial training on the CIFAR-10 and CIFAR-100 datasets at negligible additional cost compared to natural training, and can be 7 to 30 times faster than other strong adversarial training methods. Using a single workstation with 4 P100 GPUs and 2 days of runtime, we can train a robust model for the large-scale ImageNet classification task that maintains 40% accuracy against PGD attacks. The code is available at https://github.com/ashafahi/free_adv_train.

对抗训练方法是针对对抗性例子的最先进（SOTA）经验防御方法。事实证明，许多正则化方法与对抗训练的组合有效。然而，这种正则化方法是在时域中实现的。由于对抗性脆弱性可以被视为一种高频现象，因此必须调节频域中的对抗训练的神经网络模型。面对这些挑战，我们对小波的正则化属性进行了理论分析，可以增强对抗性训练。我们提出了一种基于HAAR小波分解的小波正则化方法，该方法称为小波平均池。该小波正则化模块集成到宽的残留神经网络中，因此形成了新的WideWavelEtResnet模型。在CIFAR-10和CIFAR-100的数据集上，我们提出的对抗小波训练方法在不同类型的攻击下实现了相当大的鲁棒性。它验证了以下假设：我们的小波正则化方法可以增强对抗性的鲁棒性，尤其是在深宽的神经网络中。实施了频率原理（F原理）和解释性的可视化实验，以显示我们方法的有效性。提出了基于不同小波碱函数的详细比较。该代码可在存储库中获得：\ url {https://github.com/momo1986/AdversarialWavelTraining}。

Deep neural networks are incredibly vulnerable to crafted, human-imperceptible adversarial perturbations. Although adversarial training (AT) has proven to be an effective defense approach, we find that the AT-trained models heavily rely on the input low-frequency content for judgment, accounting for the low standard accuracy. To close the large gap between the standard and robust accuracies during AT, we investigate the frequency difference between clean and adversarial inputs, and propose a frequency regularization (FR) to align the output difference in the spectral domain. Besides, we find Stochastic Weight Averaging (SWA), by smoothing the kernels over epochs, further improves the robustness. Among various defense schemes, our method achieves the strongest robustness against attacks by PGD-20, C\&W and Autoattack, on a WideResNet trained on CIFAR-10 without any extra data.

人类严重依赖于形状信息来识别对象。相反，卷积神经网络（CNNS）偏向于纹理。这也许是CNNS易受对抗性示例的影响的主要原因。在这里，我们探索如何将偏差纳入CNN，以提高其鲁棒性。提出了两种算法，基于边缘不变，以中等难以察觉的扰动。在第一个中，分类器在具有边缘图作为附加信道的图像上进行前列地培训。在推断时间，边缘映射被重新计算并连接到图像。在第二算法中，训练了条件GaN，以将边缘映射从干净和/或扰动图像转换为清洁图像。推断在与输入的边缘图对应的生成图像上完成。超过10个数据集的广泛实验证明了算法对FGSM和$ \ ELL_ infty $ PGD-40攻击的有效性。此外，我们表明a）边缘信息还可以使其他对抗训练方法有益，并且B）在边缘增强输入上培训的CNNS对抗自然图像损坏，例如运动模糊，脉冲噪声和JPEG压缩，而不是仅培训的CNNS RGB图像。从更广泛的角度来看，我们的研究表明，CNN不会充分占对鲁棒性至关重要的图像结构。代码可用：〜\ url {https://github.com/aliborji/shapedefense.git}。

虽然多步逆势培训被广泛流行作为对抗强烈的对抗攻击的有效防御方法，但其计算成本与标准培训相比，其计算成本是众所周知的。已经提出了几种单步侵权培训方法来减轻上述开销费用;但是，根据优化设置，它们的性能并不能充分可靠。为了克服这些限制，我们偏离了现有的基于输入空间的对抗性培训制度，并提出了一种单步潜在培训方法（SLAT），其利用潜在的代表梯度作为潜在的对抗扰动。我们证明，与所采用的潜伏扰动，恢复局部线性度并确保与现有的单步逆势训练方法相比，恢复局部线性度并确保可靠性的特征梯度的L1规范。因为潜伏的扰动基于可以在输入梯度计算过程中免费获得的潜在表示的梯度，所以所提出的方法与快速梯度标志方法相当成本。实验结果表明，尽管其结构简单，但优于最先进的加速的对抗训练方法。