Preventing Catastrophic Overfitting in Single-Step Adversarial Training via Abnormal Adversarial Examples Regularization

Abnormal adversarial examples, which exhibit anomalous behavior during the inner maximization process, are closely related to the gradual distortion of the classifier's decision boundaries and the occurrence of catastrophic overfitting in single-step adversarial training. By explicitly regularizing the number and outputs variation of these abnormal adversarial examples, the proposed Abnormal Adversarial Examples Regularization (AAER) method can effectively eliminate catastrophic overfitting and boost adversarial robustness with negligible additional computational overhead.

The paper investigates the phenomenon of catastrophic overfitting (CO) in single-step adversarial training (SSAT), where the model's robust accuracy against multi-step adversarial attacks can sharply decline from a peak to nearly 0% within a few iterations. Key observations: The authors identify "abnormal adversarial examples" (AAEs) that exhibit anomalous behavior, where the loss associated with them decreases despite being generated by the inner maximization process. The number and outputs variation of AAEs undergo significant changes during the onset of CO, suggesting a close relationship between AAEs and the gradual distortion of the classifier's decision boundaries. The classifier already exhibits slight initial distortion before the occurrence of CO, as evidenced by the presence of a small number of AAEs. Directly optimizing the model on these AAEs further exacerbates the distortion, leading to a vicious cycle that ultimately manifests as CO. Based on these insights, the authors propose the Abnormal Adversarial Examples Regularization (AAER) method, which explicitly regularizes the number and outputs variation of AAEs to hinder the classifier from becoming distorted and prevent CO. AAER does not require any additional example generation or backward propagation, making it computationally efficient. The authors evaluate AAER on various datasets, network architectures, and adversarial budgets, demonstrating its effectiveness in eliminating CO and boosting adversarial robustness compared to other SSAT methods.

The number of abnormal adversarial examples (AAEs) increases 19 times at the onset of catastrophic overfitting. The variation in prediction confidence of AAEs is 43 times smaller than before catastrophic overfitting. The variation in logits distribution of AAEs is 62 times larger than before catastrophic overfitting.

"We identify some adversarial examples generated by the distorted classifier exhibiting anomalous behaviour, wherein the loss associated with them decreases despite being generated by the inner maximization process." "We discover that the classifier exhibits initial distortion before CO, manifesting as a small number of AAEs. Besides, the model decision boundaries will be further exacerbated by directly optimizing the classifier on these AAEs, leading to a further increase in their number, which ultimately manifests as CO within a few iterations." "Based on the observed effect, we propose a novel method - Abnormal Adversarial Examples Regularization (AAER), which explicitly regularizes the number and outputs variation of AAEs to hinder the classifier from becoming distorted."