Skip to content

Latest commit

 

History

History
294 lines (252 loc) · 35.6 KB

README.md

File metadata and controls

294 lines (252 loc) · 35.6 KB
Raw

Adversarial Training

Adversarial training involves a two-player game between the adversary and the defender to train models with adversarial examples to improve model resilience. The paper list will be continuously updated to keep track of the latest papers.

PAPER LIST

1 Definition

  • [2017] Towards deep learning models resistant to adversarial attacks. [paper]
  • [2018] Adversarial logit pairing. [paper]

2 Overfitting (Generalization)

2.1 Catastrophic Overfitting

2.1.1 Underlying Reasons
  • [2024] Improving fast adversarial training with prior-guided knowledge. [paper]
  • [2024] Eliminating catastrophic overfitting via abnormal adversarial examples regularization. [paper]
  • [2024] Taxonomy driven fast adversarial training. [paper]
  • [2024] Revisiting single-step adversarial training for robustness and generalization. [paper]
  • [2023] Fast adversarial training with adaptive step size. [paper]
  • [2023] Investigating catastrophic overfitting in fast adversarial training: A self-fitting perspective. [paper]
  • [2023] Catastrophic overfitting can be induced with discriminative non-robust features. [paper]
  • [2023] On the over-memorization during natural, robust and catastrophic overfitting. [paper]
  • [2023] Efficient local linearity regularization to overcome catastrophic overfitting. [paper]
  • [2023] The enemy of my enemy is my friend: Exploring inverse adversaries for improving adversarial training. [paper]
  • [2023] Fast adversarial training with smooth convergence. [paper]
  • [2022] Subspace adversarial training. [paper]
  • [2022] Frequencylowcut pooling-plug and play against catastrophic overfitting. [paper]
  • [2022] Boosting fast adversarial training with learnable adversarial initialization. [paper]
  • [2022] Prior-guided adversarial initialization for fast adversarial training. [paper]
  • [2021] Reliably fast adversarial training via latent adversarial perturbation. [paper]
  • [2021] Understanding catastrophic overfitting in single-step adversarial training. [paper]
  • [2020] Single-step adversarial training with dropout scheduling. [paper]
  • [2020] Understanding and improving fast adversarial training. [paper]
  • [2019] Fast is better than free: Revisiting adversarial training. [paper]
  • [2017] Towards deep learning models resistant to adversarial attacks. [paper]
2.1.2 Solutions
  • [2024] Improving fast adversarial training with prior-guided knowledge. [paper]
  • [2024] Eliminating catastrophic overfitting via abnormal adversarial examples regularization. [paper]
  • [2024] Taxonomy driven fast adversarial training. [paper]
  • [2024] Revisiting single-step adversarial training for robustness and generalization. [paper]
  • [2023] Efficient local linearity regularization to overcome catastrophic overfitting. [paper]
  • [2023] On the over-memorization during natural, robust and catastrophic overfitting. [paper]
  • [2023] Investigating catastrophic overfitting in fast adversarial training: A self-fitting perspective. [paper]
  • [2023] The enemy of my enemy is my friend: Exploring inverse adversaries for improving adversarial training. [paper]
  • [2023] Fast adversarial training with adaptive step size. [paper]
  • [2023] Fast adversarial training with smooth convergence. [paper]
  • [2023] Towards stable and efficient adversarial training against l_1 bounded adversarial attacks. [paper]
  • [2022] Subspace adversarial training. [paper]
  • [2022] Prior-guided adversarial initialization for fast adversarial training. [paper]
  • [2022] Frequencylowcut pooling-plug and play against catastrophic overfitting. [paper]
  • [2022] Make some noise: Reliable and efficient single-step adversarial training. [paper]
  • [2022] Boosting fast adversarial training with learnable adversarial initialization. [paper]
  • [2021] Understanding catastrophic overfitting in single-step adversarial training. [paper]
  • [2021] Reliably fast adversarial training via latent adversarial perturbation. [paper]
  • [2020] Understanding and improving fast adversarial training. [paper]
  • [2020] Single-step adversarial training with dropout scheduling. [paper]

2.2 Robust Overfitting

2.2.1 Underlying Reasons
  • [2024] Regional adversarial training for better robust generalization. [paper]
  • [2024] Balance, imbalance, and rebalance: Understanding robust overfitting from a minimax game perspective. [paper]
  • [2023] A3T: Accuracy aware adversarial training. [paper]
  • [2023] Mitigating robust overfitting via self-residual-calibration regularization. [paper]
  • [2023] Understanding and combating robust overfitting via input loss landscape analysis and regularization. [paper]
  • [2023] Exploring the relationship between architectural design and adversarially robust generalization. [paper]
  • [2022] CAT: Customized adversarial training for improved robustness. [paper]
  • [2022] Understanding robust overfitting of adversarial training and beyond. [paper]
  • [2021] Robust overfitting may be mitigated by properly learned smoothening. [paper]
  • [2021] Exploring memorization in adversarial training. [paper]
  • [2021] Low curvature activations reduce overfitting in adversarial training. [paper]
  • [2021] Fixing data augmentation to improve adversarial robustness. [paper]
  • [2020] Adversarial vertex mixup: Toward better adversarially robust generalization. [paper]
  • [2020] Confidence-calibrated adversarial training: Generalizing to unseen attacks. [paper]
  • [2020] Geometry-aware instance-reweighted adversarial training. [paper]
  • [2020] Adversarial weight perturbation helps robust generalization. [paper]
  • [2019] Adversarial robustness may be at odds with simplicity. [paper]
  • [2019] Robust local features for improving the generalization of adversarial training. [paper]
  • [2018] Adversarially robust generalization requires more data. [paper]
  • [2018] Averaging weights leads to wider optima and better generalization. [paper]
2.2.2 Solutions
  • [2024] Regional adversarial training for better robust generalization. [paper]
  • [2024] Balance, imbalance, and rebalance: Understanding robust overfitting from a minimax game perspective. [paper]
  • [2023] Boosting adversarial robustness via self-paced adversarial training. [paper]
  • [2023] A3T: Accuracy aware adversarial training. [paper]
  • [2023] Understanding and combating robust overfitting via input loss landscape analysis and regularization. [paper]
  • [2023] Mitigating robust overfitting via self-residual-calibration regularization. [paper]
  • [2023] Interpolated joint space adversarial training for robust and generalizable defenses. [paper]
  • [2023] Self-ensemble adversarial training for improved robustness. [paper]
  • [2023] Better diffusion models further improve adversarial training. [paper]
  • [2022] Consistency regularization for adversarial robustness. [paper]
  • [2022] CAT: Customized adversarial training for improved robustness. [paper]
  • [2022] Understanding robust overfitting of adversarial training and beyond. [paper]
  • [2022] Data augmentation alone can improve adversarial training. [paper]
  • [2021] Low curvature activations reduce overfitting in adversarial training. [paper]
  • [2021] Exploring memorization in adversarial training. [paper]
  • [2021] Robust overfitting may be mitigated by properly learned smoothening. [paper]
  • [2021] Improving robustness using generated data. [paper]
  • [2021] Fixing data augmentation to improve adversarial robustness. [paper]
  • [2021] Data augmentation can improve robustness. [paper]
  • [2020] Adversarial weight perturbation helps robust generalization. [paper]
  • [2020] Geometry-aware instance-reweighted adversarial training. [paper]
  • [2020] Adversarial vertex mixup: Toward better adversarially robust generalization. [paper]
  • [2020] Confidence-calibrated adversarial training: Generalizing to unseen attacks. [paper]
  • [2019] Improving adversarial robustness requires revisiting misclassified examples. [paper]
  • [2019] On the convergence and robustness of adversarial training. [paper]
  • [2019] Adversarially robust generalization just requires more unlabeled data. [paper]
  • [2019] Using pre-training can improve model robustness and uncertainty. [paper]
  • [2019] Robust local features for improving the generalization of adversarial training. [paper]
  • [2019] Are labels required for improving adversarial robustness? [paper]
  • [2018] Averaging weights leads to wider optima and better generalization. [paper]
  • [2018] Adversarially robust generalization requires more data. [paper]
  • [2018] Curriculum adversarial training. [paper]

3 Adversarial Robustness Enhancement

  • [2024] Exploring robust features for improving adversarial robustness. [paper]
  • [2024] Defense against adversarial attacks using topology aligning adversarial training. [paper]
  • [2024] Improving adversarial robustness via information bottleneck distillation. [paper]
  • [2023] Improving adversarial robustness with self-paced hard-class pair reweighting. [paper]
  • [2023] Edge enhancement improves adversarial robustness in image classification. [paper]
  • [2023] Feature separation and recalibration for adversarial robustness. [paper]
  • [2023] Theoretically grounded loss functions and algorithms for adversarial robustness. [paper]
  • [2022] Enhancing adversarial training with second-order statistics of weights. [paper]
  • [2021] Self-ensemble adversarial training for improved robustness. [paper]
  • [2021] Cifs: Improving adversarial robustness of cnns via channel-wise importance-based feature selection. [paper]
  • [2020] Adversarial self-supervised contrastive learning. [paper]
  • [2020] Improving adversarial robustness via channel-wise activation suppressing. [paper]
  • [2019] Improving adversarial robustness via promoting ensemble diversity. [paper]
  • [2019] Feature denoising for improving adversarial robustness. [paper]
  • [2019] Metric learning for adversarial robustness. [paper]
  • [2017] Ensemble adversarial training: Attacks and defenses. [paper]

4 Robust Fairness

  • [2024] DAFA: Distance-aware fair adversarial training. [paper]
  • [2023] Combining adversaries with anti-adversaries in training. [paper]
  • [2023] Improving robust fairness via balance adversarial training. [paper]
  • [2023] Cfa: Class-wise calibrated fair adversarial training. [paper]
  • [2021] Robustness may be at odds with fairness: An empirical study on class-wise accuracy. [paper]
  • [2021] Analysis and applications of class-wise robustness in adversarial training. [paper]
  • [2021] To be robust or to be fair: Towards fairness in adversarial training. [paper]

5 Trade-off between Adversarial Robustness and Standard Accuracy

  • [2024] Maximization of average precision for deep learning with adversarial ranking robustness. [paper]
  • [2024] Enhance adversarial robustness via geodesic distance. [paper]
  • [2024] Revisiting the trade-off between accuracy and robustness via weight distribution of filters. [paper]
  • [2024] Attention-based investigation and solution to the trade-off issue of adversarial training. [paper]
  • [2024] Connecting certified and adversarial training. [paper]
  • [2023] Interpolated joint space adversarial training for robust and generalizable defenses. [paper]
  • [2023] The enemy of my enemy is my friend: Exploring inverse adversaries for improving adversarial training. [paper]
  • [2023] Combining adversaries with anti-adversaries in training. [paper]
  • [2023] One-vs-the-rest loss to focus on important samples in adversarial training. [paper]
  • [2023] Towards desirable decision boundary by moderate-margin adversarial training. [paper]
  • [2023] Adversarial robustness via random projection filters. [paper]
  • [2023] Push stricter to decide better: A class-conditional feature adaptive framework for improving adversarial robustness. [paper]
  • [2023] Improving adversarial robustness by learning shared information. [paper]
  • [2023] Randomized adversarial training via taylor expansion. [paper]
  • [2023] Float: Fast learnable once-for-all adversarial training for tunable trade-off between accuracy and robustness. [paper]
  • [2023] Improving generalization of adversarial training via robust critical fine-tuning. [paper]
  • [2023] Conserve-update-revise to cure generalization and robustness trade-off in adversarial training. [paper]
  • [2023] Generalist: Decoupling natural and robust generalization. [paper]
  • [2023] Advancing example exploitation can alleviate critical challenges in adversarial training. [paper]
  • [2021] Robust overfitting may be mitigated by properly learned smoothening. [paper]
  • [2021] Improving robustness using generated data. [paper]
  • [2021] Reducing excessive margin to achieve a better accuracy vs. robustness trade-off. [paper]
  • [2021] Fast AdvProp. [paper]
  • [2021] Learnable boundary guided adversarial training. [paper]
  • [2020] Smooth adversarial training. [paper]
  • [2020] Adversarial examples improve image recognition. [paper]
  • [2020] Attacks which do not kill training make adversarial learning stronger. [paper]
  • [2020] Geometry-aware instance-reweighted adversarial training. [paper]
  • [2020] A closer look at accuracy vs. robustness. [paper]
  • [2020] Understanding and mitigating the tradeoff between robustness and accuracy. [paper]
  • [2019] Interpolated adversarial training: Achieving robust neural networks without sacrificing too much accuracy. [paper]
  • [2019] Defense against adversarial attacks using feature scattering-based adversarial training. [paper]
  • [2019] Bilateral adversarial training: Towards fast training of more robust models against adversarial attacks. [paper]
  • [2019] Intriguing properties of adversarial training at scale. [paper]

6 Comparison and Connection between Adversarial Training and Randomized Smoothing

Have been listed in Randomized Smoothing.

7 Defense against Patch Attack

  • [2023] Patchzero: Defending against adversarial patch attacks by detecting and zeroing the patch. [paper]
  • [2019] Local gradients smoothing: Defense against localized adversarial attacks. [paper]

8 Multi-Attack Robustness

  • [2023] Towards compositional adversarial robustness: Generalizing adversarial training to composite semantic perturbations. [paper]
  • [2022] Formulating robustness against unforeseen attacks. [paper]
  • [2021] Perceptual adversarial robustness: Defense against unseen threat models. [paper]
  • [2020] Confidence-calibrated adversarial training: Generalizing to unseen attacks. [paper]
  • [2020] Adversarial self-supervised contrastive learning. [paper]
  • [2020] Adversarial robustness against the union of multiple perturbation models. [paper]
  • [2019] Adversarial training and robustness for multiple perturbations. [paper]
  • [2019] Adversarial framing for image and video classification. [paper]

9 Cross-network and task Adversarial Training

  • [2020] A self-supervised approach for adversarial robustness. [paper]

10 Robust Pre-training and Fine-tuning

  • [2024] Securely fine-tuning pre-trained encoders against adversarial examples. [paper]
  • [2023] Twins: A fine-tuning framework for improved transferability of adversarial robustness and generalization. [paper]
  • [2023] AutoLoRa: A parameter-free automated robust fine-tuning framework. [paper]
  • [2023] Adversarial supervised contrastive learning. [paper]
  • [2022] Adversarial momentum-contrastive pre-training. [paper]
  • [2021] When does contrastive learning preserve adversarial robustness from pretraining to fine-tuning? [paper]
  • [2020] Adversarial robustness: From self-supervised pre-training to fine-tuning. [paper]
  • [2020] Robust pre-training by adversarial contrastive learning. [paper]
  • [2020] Adversarial self-supervised contrastive learning. [paper]
  • [2019] Using pre-training can improve model robustness and uncertainty. [paper]

11 Adaptive Perturbations

  • [2024] Improving adversarial training using vulnerability-aware perturbation budget. [paper]
  • [2023] Improving robust fairness via balance adversarial training. [paper]
  • [2023] Cfa: Class-wise calibrated fair adversarial training. [paper]
  • [2022] CAT: Customized adversarial training for improved robustness. [paper]
  • [2021] Understanding catastrophic overfitting in single-step adversarial training. [paper]
  • [2021] To be robust or to be fair: Towards fairness in adversarial training. [paper]
  • [2019] Instance adaptive adversarial training: Improved accuracy tradeoffs in neural nets. [paper]
  • [2018] Mma training: Direct input space margin maximization through adversarial training. [paper]

12 Efficiency

  • [2024] Improving fast adversarial training with prior-guided knowledge. [paper]
  • [2024] Fast propagation is better: Accelerating single-step adversarial training via sampling subnetworks. [paper]
  • [2024] Data filtering for efficient adversarial training. [paper]
  • [2023] Adversarial coreset selection for efficient robust training. [paper]
  • [2023] Efficient local linearity regularization to overcome catastrophic overfitting. [paper]
  • [2022] Boosting fast adversarial training with learnable adversarial initialization. [paper]
  • [2022] Prior-guided adversarial initialization for fast adversarial training. [paper]
  • [2021] Bullettrain: Accelerating robust neural network training via boundary example mining. [paper]
  • [2019] Fast is better than free: Revisiting adversarial training. [paper]
  • [2019] You only propagate once: Accelerating adversarial training via maximal principle. [paper]
  • [2019] Adversarial training for free! [paper]

13 Adversarial Training for ViTs and Comparison with CNNs

  • [2023] A light recipe to train robust vision transformers. [paper]
  • [2022] When adversarial training meets vision transformers: Recipes from training to architecture. [paper]
  • [2022] Towards efficient adversarial training on vision transformers. [paper]
  • [2021] Are transformers more robust than cnns? [paper]

14 Adversarial Training against Poisoning Attack

  • [2023] On the effectiveness of adversarial training against backdoor attacks. [paper]

14.1 Adversarial Training against Backdoor Attack

  • [2021] Adversarial unlearning of backdoors via implicit hypergradient. [paper]

14.2 Adversarial Training against Availability Attack

  • [2023] Learning the unlearnable: Adversarial augmentations suppress unlearnable example attacks. [paper]
  • [2021] Better safe than sorry: Preventing delusive adversaries with adversarial training. [paper]
  • [2020] Unlearnable examples: Making personal data unexploitable. [paper]