Understanding and Increasing Efficiency of Frank-Wolfe Adversarial Training
Theodoros Tsiligkaridis, Jay Roberts
Conference on Computer Vision and Pattern Recognition, CVPR 2022
[arXiv]
The goal is to speed up adversarial training (AT) without sacrificing robustness via a solid mathematical theory. By using the more mathematically transparent Frank-Wolfe (FW) optimization in place of the more popular Projected Gradient Decent (PGD), a relationship is established between the loss landscape geometry and the L2 norm of L-infinity FW attacks (distortion). We show the following properties
- High distortion high step attacks are inefficient
- Low distortion signals existence of strong high step attacks that are likely to be successful
This distortion is a strong signal for catastrophic overfitting (CO) in single-step adversarial training methods even for the relatively weak FW-2 attacks. By monitoring the distortion of a FW-2 attack during the beginning of a training epoch we are able to adaptively change the number of attack steps all while simultaneously performing AT. FW-Adapt trains models faster than strong multi-step AT methods, such as PGD-7, while avoiding CO of fast single-step methods.
In order to have consistent libraries and versions, you may create a conda environment via:
conda env create -f environment.yml
then activate with
conda activate fwadapt
We provide the model weights cifar10_resnet18_baseline_nat_acc_94.pt
download here and so any experiments on cifar10 can be run with the --pretrained
flag in order to intialize with these weights as was done in the paper. In order to train a standard model on cifar100 run:
python train.py --mode=standard --dataset=cifar100 --data_path=./data --num_epochs=160 --ep_decay=60
We provide ready-to-run code for our FW-Adapt model and the following fast AT baselines: PGD, FGSM-Adapt, FGSM-GA, Free, FW. See details in our paper. Use the following:
python train.py --mode=fw_adapt --min_dr=r \
--data_path=./data \
--lr=0.1 \
--num_epochs=30 \
--ep_decay=15
--pretrained
To run FW-Adapt-AT with L-infinity norm 8/255
at distortion ratio r
on CIFAR-10 with data located in ./data
, for 30
epochs with an initial SGD learning rate of 0.1
that decays by 0.1 every 15
epochs. The --pretrained
flag assumes you have a pretrained model named:
cifar10: cifar10_resnet18_baseline_nat_acc_94.pt
cifar100: <see `Training Standard Models`>
this flag may be removed and the model will train from scratch.
Details about the various modes and flags and AT modes can be found in AdversarialTrainer.AdversarialTrainer.__init__
.
Results are saved in:
|-topdir/
|-exp_tag/
|-checkpoints/
|-<model checkpoints>.pt
|-hparams.yaml (params used in trainer)
|-train_results.csv
|-eval_results.csv
We provide some basic examples of training other AT methods at epsilon=8/255. For more details please see AdversarialTrainer.AdversarialTrainer.__init__
. All methods have the flags
--data_path=./data \
--lr=0.1 \
--num_epochs=30 \
--ep_decay=15 \
--pretrained
passed after them as was done in FW-Adapt above.
PGD with 7 steps
python train.py --mode=pgd --K=7 \
FGSM-Adapt with 4 checkpoints
python train.py --mode=fgsm_adapt --K=4 \
FGSM-GA with regularizer 0.5
python train.py --mode=grad_align --grad_align_lambda=0.5 \
Free with 8 minibatch replays
python train.py --mode=free --K=8
FW with 7 steps
python train.py --mode=fw --K=7
Install autoattack into your fwadapt
environment.
pip install git+https://github.com/fra31/auto-attack
After training the model you can evaluate with AutoAttack and PGD-50 via
python autoattack.py --exp_dir=topdir/exp_tag/ --data_path=./data
Note these attacks are performed using the epsilon value chosen in hparams.yaml
. The results will be in
|-topdir/
|-exp_tag/
|-autoattack_and_pgd50_value.yaml
The code for FW-Adapt is licensed under the MIT License.
For citing this paper or code, please use the following:
@inproceedings{FW_Adapt,
title={Understanding and Increasing Efficiency of Frank-Wolfe Adversarial Training},
author={Theodoros Tsiligkaridis and Jay Roberts},
booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR},
month={June},
year={2022}
}
Research was sponsored by the United States Air Force Research Laboratory and the United States Air Force Artificial Intelligence Accelerator and was accomplished under Cooperative Agreement Number FA8750-19-2-1000. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the United States Air Force or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation herein.