Avoiding catastrophic overfitting in fast adversarial training with adaptive similarity step size

doi:10.1371/journal.pone.0317023

Fig 1.

Adversarial training process where catastrophic overfitting occurs.

More »

Expand

Fig 2.

Adversarial training processes in traditional FGSM adversarial training.

More »

Expand

Table 1.

Attack success rates of different single-step attack methods.

More »

Expand

Table 2.

Average total perturbation magnitudes generated by different single-step attack methods.

More »

Expand

Table 3.

Maximum total perturbation magnitudes generated by different single-step attack methods.

More »

Expand

Fig 3.

Comparison of adversarial samples generated by different single-step attack methods.

More »

Expand

Fig 4.

Flowchart of fast adversarial training method based on adaptive similarity step size.

More »

Expand

Fig 5.

Illustrative examples for Euclidean distance similarity and cosine similarity.

More »

Expand

Fig 6.

Adversarial training process of ATSS on the ResNet18 model.

More »

Expand

Fig 7.

Adversarial training process of ATSS on the VGG19 model.

More »

Expand

Fig 8.

Adversarial training process of ATSS on the CIFAR-100 dataset.

More »

Expand

Fig 9.

Adversarial training process of ATSS on the Tiny ImageNet dataset.

More »

Expand

Fig 10.

Performance comparison during training among ATSS, FGSM-RS, and N-FGSM.

More »

Expand

Table 4.

Classification accuracy and training time under adversarial attacks for different adversarial training methods.

More »

Expand

Fig 11.

Comparison of ATSS and multi-step adversarial training method in robust accuracy and training time.

More »

Expand

Table 5.

Classification accuracy against PGD-10 attacks on different datasets.

More »

Expand

Table 6.

Test results under different similarity calculation strategies.

More »

Expand

Table 7.

Test results under different influence coefficient.

More »

Expand

Table 8.

Test results under different standard step size.

More »

Expand