Self-Progressing Robust Training
This work addresses the problem of enhancing model robustness for machine learning systems, offering a more scalable and attack-independent approach than existing methods.
This paper introduces SPROUT, a novel robust training framework that improves model robustness without explicit attack generation. SPROUT achieves this by progressively adjusting the training label distribution using a parametrized label smoothing technique, leading to superior performance compared to state-of-the-art adversarial training methods like PGD-l_inf and TRADES under l_inf-norm bounded attacks and various invariance tests.
Enhancing model robustness under new and even adversarial environments is a crucial milestone toward building trustworthy machine learning systems. Current robust training methods such as adversarial training explicitly uses an "attack" (e.g., $\ell_{\infty}$-norm bounded perturbation) to generate adversarial examples during model training for improving adversarial robustness. In this paper, we take a different perspective and propose a new framework called SPROUT, self-progressing robust training. During model training, SPROUT progressively adjusts training label distribution via our proposed parametrized label smoothing technique, making training free of attack generation and more scalable. We also motivate SPROUT using a general formulation based on vicinity risk minimization, which includes many robust training methods as special cases. Compared with state-of-the-art adversarial training methods (PGD-l_inf and TRADES) under l_inf-norm bounded attacks and various invariance tests, SPROUT consistently attains superior performance and is more scalable to large neural networks. Our results shed new light on scalable, effective and attack-independent robust training methods.