GReAT: A Graph Regularized Adversarial Training Method

TL;DR

GReAT (Graph Regularized Adversarial Training) tackles adversarial vulnerability in image classification by weaving graph-based regularization into adversarial training to exploit data geometry and unlabeled information. The method defines a joint objective $\mathcal{L}_{GReAT} = \mathcal{L}_{adv} + \lambda \mathcal{L}_{N}$ that aggregates supervised signals from clean and adversarial samples with neighbor-based regularization across both sample types. Empirical results on CIFAR-10 and SVHN show notable improvements in robust accuracy under FGSM and PGD attacks, with ablation analyses validating the contribution of graph-structured neighbor Losses and embedding-based graph construction. The work demonstrates that leveraging structural data information during training can enhance both robustness and generalization, offering a practical path toward more reliable deep learning models in adversarial settings.

Abstract

This paper presents GReAT (Graph Regularized Adversarial Training), a novel regularization method designed to enhance the robust classification performance of deep learning models. Adversarial examples, characterized by subtle perturbations that can mislead models, pose a significant challenge in machine learning. Although adversarial training is effective in defending against such attacks, it often overlooks the underlying data structure. In response, GReAT integrates graph based regularization into the adversarial training process, leveraging the data's inherent structure to enhance model robustness. By incorporating graph information during training, GReAT defends against adversarial attacks and improves generalization to unseen data. Extensive evaluations on benchmark datasets demonstrate that GReAT outperforms state of the art methods in robustness, achieving notable improvements in classification accuracy. Specifically, compared to the second best methods, GReAT achieves a performance increase of approximately 4.87% for CIFAR10 against FGSM attack and 10.57% for SVHN against FGSM attack. Additionally, for CIFAR10, GReAT demonstrates a performance increase of approximately 11.05% against PGD attack, and for SVHN, a 5.54% increase against PGD attack. This paper provides detailed insights into the proposed methodology, including numerical results and comparisons with existing approaches, highlighting the significant impact of GReAT in advancing the performance of deep learning models.

Figures (7)

• Figure 1: GReAT framework.
• Figure 2: Densenet121 for generating image embeddings.
• Figure 3: Graph creation from embedding of clean and adversarial examples.
• Figure 4: Samples in embedding space. The left figure represents all the samples in the validation data set. The right figure shows some clean samples and their adversarial neighbors.
• Figure 5: A: A sample with two neighbors showing their sub-graph and feature inputs. Blue nodes represent clean samples, and red nodes represent adversarially perturbed samples. B,C,D,E,F, and G show how clean samples and adversarial examples may link on the graph structure.