Masking and Mixing Adversarial Training
This work addresses the problem of improving robustness without sacrificing accuracy in adversarial training for computer vision, representing an incremental advancement in defense methods.
The paper tackles the trade-off between accuracy and robustness in adversarial training for CNNs by proposing Masking and Mixing Adversarial Training (M2AT), which creates diverse adversarial examples through masking and mixing processes, achieving better robustness against several attacks on the CIFAR-10 dataset.
While convolutional neural networks (CNNs) have achieved excellent performances in various computer vision tasks, they often misclassify with malicious samples, a.k.a. adversarial examples. Adversarial training is a popular and straightforward technique to defend against the threat of adversarial examples. Unfortunately, CNNs must sacrifice the accuracy of standard samples to improve robustness against adversarial examples when adversarial training is used. In this work, we propose Masking and Mixing Adversarial Training (M2AT) to mitigate the trade-off between accuracy and robustness. We focus on creating diverse adversarial examples during training. Specifically, our approach consists of two processes: 1) masking a perturbation with a binary mask and 2) mixing two partially perturbed images. Experimental results on CIFAR-10 dataset demonstrate that our method achieves better robustness against several adversarial attacks than previous methods.