When Adversarial Training Meets Vision Transformers: Recipes from Training to Architecture
This work addresses adversarial robustness for ViT users, offering incremental improvements through optimized training techniques and architectural insights.
The paper tackles the problem of adversarial robustness in Vision Transformers (ViTs) by conducting a comprehensive study on adversarial training recipes, finding that pre-training and SGD optimizer are necessary, and showing that masking gradients or perturbations during training can remarkably improve robustness.
Vision Transformers (ViTs) have recently achieved competitive performance in broad vision tasks. Unfortunately, on popular threat models, naturally trained ViTs are shown to provide no more adversarial robustness than convolutional neural networks (CNNs). Adversarial training is still required for ViTs to defend against such adversarial attacks. In this paper, we provide the first and comprehensive study on the adversarial training recipe of ViTs via extensive evaluation of various training techniques across benchmark datasets. We find that pre-training and SGD optimizer are necessary for ViTs' adversarial training. Further considering ViT as a new type of model architecture, we investigate its adversarial robustness from the perspective of its unique architectural components. We find, when randomly masking gradients from some attention blocks or masking perturbations on some patches during adversarial training, the adversarial robustness of ViTs can be remarkably improved, which may potentially open up a line of work to explore the architectural information inside the newly designed models like ViTs. Our code is available at https://github.com/mo666666/When-Adversarial-Training-Meets-Vision-Transformers.