While convolutional neural networks (CNNs) have achieved excellent performances in various computer vision tasks, they often misclassify with malicious samples, a.k.a. adversarial examples. Adversarial training is a popular and straightforward technique to defend against the threat of adversarial examples. Unfortunately, CNNs must sacrifice the accuracy of standard samples to improve robustness against adversarial examples when adversarial training is used. In this work, we propose Masking and Mixing Adversarial Training (M2AT) to mitigate the trade-off between accuracy and robustness. We focus on creating diverse adversarial examples during training. Specifically, our approach consists of two processes: 1) masking a perturbation with a binary mask and 2) mixing two partially perturbed images. Experimental results on CIFAR-10 dataset demonstrate that our method achieves better robustness against several adversarial attacks than previous methods.
翻译:虽然共生神经网络(CNNs)在各种计算机视觉任务中取得了出色的表现,但它们往往与恶意样本(a.k.a.a.对抗性实例)的分类错误。反向培训是一种受欢迎和直截了当的防范对抗性实例威胁的手段。不幸的是,有线电视网络必须牺牲标准样本的准确性,以便在使用对抗性培训时提高对抗性实例的稳健性。在这项工作中,我们提议进行蒙面和混合反向培训(M2AT),以减轻准确性和稳健性之间的权衡。我们注重在培训中建立不同的对抗性实例。具体地说,我们的方法包括两个过程:(1)用二元面具遮住扰动器,(2)将两张部分扰动的图像混合在一起。CIFAR-10数据集的实验结果表明,我们的方法比以前的方法更能抵御几次对抗性攻击。