Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Two Heads are Better than One: Robust Learning Meets Multi-branch Models

Zongyuan Zhang, Qingwen Bu, Tianyang Duan, Zheng Lin, Yuhao Qing, Zihan Fang, Heming Cui, Dong Huang

TL;DR

The paper addresses adversarial vulnerability by shifting focus from data augmentation to model-space diversity. It introduces BORT, a multi-branch adversarial training framework with a branch-orthogonal loss that enforces orthogonal solution spaces among branches, trained sequentially with PGD-based adversaries. The approach achieves state-of-the-art robust accuracy on CIFAR-10 (67.3%), CIFAR-100 (41.5%), and competitive SVHN performance without using additional data, outperforming data-augmented baselines. This work highlights a practical model-centric complement to data-centric defenses, offering substantial robustness benefits with moderate training cost.

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples, in which DNNs are misled to false outputs due to inputs containing imperceptible perturbations. Adversarial training, a reliable and effective method of defense, may significantly reduce the vulnerability of neural networks and becomes the de facto standard for robust learning. While many recent works practice the data-centric philosophy, such as how to generate better adversarial examples or use generative models to produce additional training data, we look back to the models themselves and revisit the adversarial robustness from the perspective of deep feature distribution as an insightful complementarity. In this paper, we propose \textit{Branch Orthogonality adveRsarial Training} (BORT) to obtain state-of-the-art performance with solely the original dataset for adversarial training. To practice our design idea of integrating multiple orthogonal solution spaces, we leverage a simple multi-branch neural network and propose a corresponding loss function, branch-orthogonal loss, to make each solution space of the multi-branch model orthogonal. We evaluate our approach on CIFAR-10, CIFAR-100 and SVHN against $\ell_{\infty}$ norm-bounded perturbations of size $ε= 8/255$, respectively. Exhaustive experiments are conducted to show that our method goes beyond all state-of-the-art methods without any tricks. Compared to all methods that do not use additional data for training, our models achieve 67.3\% and 41.5\% robust accuracy on CIFAR-10 and CIFAR-100 (improving upon the state-of-the-art by +7.23\% and +9.07\%).

Two Heads are Better than One: Robust Learning Meets Multi-branch Models

TL;DR

The paper addresses adversarial vulnerability by shifting focus from data augmentation to model-space diversity. It introduces BORT, a multi-branch adversarial training framework with a branch-orthogonal loss that enforces orthogonal solution spaces among branches, trained sequentially with PGD-based adversaries. The approach achieves state-of-the-art robust accuracy on CIFAR-10 (67.3%), CIFAR-100 (41.5%), and competitive SVHN performance without using additional data, outperforming data-augmented baselines. This work highlights a practical model-centric complement to data-centric defenses, offering substantial robustness benefits with moderate training cost.

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples, in which DNNs are misled to false outputs due to inputs containing imperceptible perturbations. Adversarial training, a reliable and effective method of defense, may significantly reduce the vulnerability of neural networks and becomes the de facto standard for robust learning. While many recent works practice the data-centric philosophy, such as how to generate better adversarial examples or use generative models to produce additional training data, we look back to the models themselves and revisit the adversarial robustness from the perspective of deep feature distribution as an insightful complementarity. In this paper, we propose \textit{Branch Orthogonality adveRsarial Training} (BORT) to obtain state-of-the-art performance with solely the original dataset for adversarial training. To practice our design idea of integrating multiple orthogonal solution spaces, we leverage a simple multi-branch neural network and propose a corresponding loss function, branch-orthogonal loss, to make each solution space of the multi-branch model orthogonal. We evaluate our approach on CIFAR-10, CIFAR-100 and SVHN against norm-bounded perturbations of size , respectively. Exhaustive experiments are conducted to show that our method goes beyond all state-of-the-art methods without any tricks. Compared to all methods that do not use additional data for training, our models achieve 67.3\% and 41.5\% robust accuracy on CIFAR-10 and CIFAR-100 (improving upon the state-of-the-art by +7.23\% and +9.07\%).
Paper Structure (14 sections, 4 equations, 5 figures, 4 tables, 1 algorithm)

This paper contains 14 sections, 4 equations, 5 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Adversarial Attacks
  4. Adversarial Training as a defense
  5. Proposed Method
  6. Multi-branch Neural Network
  7. Branch-orthogonal Loss
  8. Optimization Formulation
  9. Training Pipeline
  10. Experiment
  11. Evaluation Setting
  12. Overall Performance
  13. Ablation Studies
  14. Conclusion

Figures (5)

  • Figure 1: The distribution of simplified binary classification models in the solution space, where blue and red dots represents two categories of data samples respectively.
  • Figure 2: Robust accuracy of models against AutoAttackcroce2020reliable on CIFAR10 (left) and CIFAR100 (right) dataset.
  • Figure 3: Overview
  • Figure 4: Evaluation results for individual branches on evenly segmented test data batches of CIFAR-10. The model used here is WRN-28-10. Each individual branch is attacked with PGD25 and the complete network with PGD100.
  • Figure 5: Results of transfer attacks among the four branches. The numbers and their corresponding color representations robust accuracy against PGD-100 attack. The dataset and base model we use are CIFAR-10 and BORT-WRN-28-10 respectively.