- Our new arXiv paper "Decoupled Kullback-Leibler (DKL) Divergence Loss" achieves new state-of-the-art on adversarial robustness. Code is released.
This repository contains the implementation code for the ICCV2021 paper:
Learnable Boundary Guided Adversarial Training (https://arxiv.org/pdf/2011.11164.pdf)
# | Method | Model | Natural Acc | Robust Acc (AutoAttack) | download |
---|---|---|---|---|---|
1 | AWP | WRN-34-10 | 60.38 | 28.86 | - |
2 | LBGAT-AWP | WRN-34-10 | 62.31 | 30.44 | - |
3 | LBGAT-AWP* | WRN-34-10 | 62.99 | 31.20 | model / log |
In this paper, we proposed the "Learnable Boundary Guided Adversarial Training" to preserve high natural accuracy while enjoy strong robustness for deep models. An interesting phenomenon in our exploration shows that natural classifier boundary can benefit model robustness to some degree, which is different from the previous work that the improved robustness is at cost of performance degradation on natural data. Our method creates new state-of-the-art model robustness on CIFAR-100 without extra real or Synthetic data under auto-attack benchmark.
`
Models are evaluated under the strongest AutoAttack(https://github.com/fra31/auto-attack) with epsilon 0.031.
Our CIFAR-100 models:
CIFAR-100-LBGAT0-wideresnet-34-10 70.25 vs 27.16
CIFAR-100-LBGAT6-wideresnet-34-10 60.64 vs 29.33
CIFAR-100-LBGAT6-wideresnet-34-20 62.55 vs 30.20
Our CIFAR-10 models:
CIFAR-10-LBGAT0-wideresnet-34-10 88.22 vs 52.86
CIFAR-10-LBGAT0-wideresnet-34-20 88.70 vs 53.57
Note: this is one partial results list for comparisons with methods without using additional data up to 2020/11/25. Full list can be found at https://github.com/fra31/auto-attack. TRADES (alpha=6) is trained with official open-source code at https://github.com/yaodongyu/TRADES.
# | Method | Model | Natural Acc | Robust Acc (AutoAttack) |
---|---|---|---|---|
1 | LBGAT (Ours) | WRN-34-20 | 62.55 | 30.20 |
2 | (Gowal et al. 2020) | WRN-70-16 | 60.86 | 30.03 |
3 | LBGAT (Ours) | WRN-34-10 | 60.64 | 29.33 |
4 | (Wu et al. 2020) | WRN-34-10 | 60.38 | 28.86 |
5 | LBGAT (Ours) | WRN-34-10 | 70.25 | 27.16 |
6 | (Chen et al. 2020) | WRN-34-10 | 62.15 | 26.94 |
7 | (Zhang et al. 2019) TRADES (alpha=6) | WRN-34-10 | 56.50 | 26.87 |
8 | (Sitawarin et al. 2020) | WRN-34-10 | 62.82 | 24.57 |
9 | (Rice et al. 2020) | RN-18 | 53.83 | 18.95 |
Note: this is one partial results list for comparisons with previous published methods without using additional data up to 2020/11/25. Full list can be found at https://github.com/fra31/auto-attack. TRADES (alpha=6) is trained with official open-source code at https://github.com/yaodongyu/TRADES. “*” denotes methods aiming to speed up adversarial training.
# | Method | Model | Natural Acc | Robust Acc (AutoAttack) |
---|---|---|---|---|
1 | LBGAT (Ours) | WRN-34-20 | 88.70 | 53.57 |
2 | (Zhang et al.) | WRN-34-10 | 84.52 | 53.51 |
3 | (Rice et al. 2020) | WRN-34-20 | 85.34 | 53.42 |
4 | LBGAT (Ours) | WRN-34-10 | 88.22 | 52.86 |
5 | (Qin et al., 2019) | WRN-40-8 | 86.28 | 52.84 |
6 | (Zhang et al. 2019) TRADES (alpha=6) | WRN-34-10 | 84.92 | 52.64 |
7 | (Chen et al., 2020b) | WRN-34-10 | 85.32 | 51.12 |
8 | (Sitawarin et al., 2020) | WRN-34-10 | 86.84 | 50.72 |
9 | (Engstrom et al., 2019) | RN-50 | 87.03 | 49.25 |
10 | (Kumari et al., 2019) | WRN-34-10 | 87.80 | 49.12 |
11 | (Mao et al., 2019) | WRN-34-10 | 86.21 | 47.41 |
12 | (Zhang et al., 2019a) | WRN-34-10 | 87.20 | 44.83 |
13 | (Madry et al., 2018) AT | WRN-34-10 | 87.14 | 44.04 |
14 | (Shafahi et al., 2019)* | WRN-34-10 | 86.11 | 41.47 |
14 | (Wang & Zhang, 2019)* | WRN-28-10 | 92.80 | 29.35 |
Befor the training, please create the directory 'Logs' via the command 'mkdir Logs'.
bash sh/train_lbgat0_cifar100.sh
before running the evaluation, please download the pretrained model.
bash sh/eval_autoattack.sh
This code is partly based on the TRADES and autoattack.
If you have any questions, feel free to contact us through email ([email protected]) or Github issues. Enjoy!
If you find this code or idea useful, please consider citing our work:
@inproceedings{cui2021learnable,
title={Learnable boundary guided adversarial training},
author={Cui, Jiequan and Liu, Shu and Wang, Liwei and Jia, Jiaya},
booktitle={Proceedings of the IEEE/CVF International Conference on Computer Vision},
pages={15721--15730},
year={2021}
}
@article{cui2023decoupled,
title={Decoupled Kullback-Leibler Divergence Loss},
author={Cui, Jiequan and Tian, Zhuotao and Zhong, Zhisheng and Qi, Xiaojuan and Yu, Bei and Zhang, Hanwang},
journal={arXiv preprint arXiv:2305.13948},
year={2023}
}