ATRA: Efficient adversarial training with high-robust area.

Recent research has shown the vulnerability of deep networks to adversarial perturbations. Adversarial training and its variants have been shown to be effective defense algorithms against adversarial attacks, enhancing the defense abilities of deep neural networks by training them to fit adversarial examples. However, the significant computational burden of generating strong adversarial examples has rendered the process time-consuming, presenting a challenge for efficient training. In this paper, we propose adversarial training with robust area (ATRA), a highly efficient variant of adversarial training. We experimentally find that certain pixels in the image play a crucial role in improving robust accuracy, which we refer to the collection of discrete pixels as the high-robust area. Based on the robust area of the input instance, ATRA generates adversarial examples by applying an adaptive perturbation. Furthermore, we investigate the transferability of the high-robust area during the attack iteration process and experimentally demonstrate its effectiveness. Therefore, ATRA has the advantage of reducing the additional cost of generating strong adversarial examples while maintaining model robustness. Our experimental results on MNIST, CIFAR10, and TinyImageNet show that our method outperforms current state-of-the-art baselines with significantly less additional training time required, especially on MNIST where our method requires 18 × less training time. Furthermore, our method also achieves good performance under different adversarial attacks such as FGSM, CW, and AutoAttack. [ABSTRACT FROM AUTHOR]