Salient Information Preserving Adversarial Training Improves Clean and Robust Accuracy

TL;DR

SIP-AT addresses the robustness-accuracy trade-off in adversarial training by constraining perturbations to preserve salient information, using salience maps generated by humans or machines. The authors formalize a restricted perturbation set $\Delta'(x)$ and provide a practical projection method to enforce salience preservation, enabling learning of both robust features and useful non-robust features. Empirical results across CIFAR-10, CIFAR-100, and CUB-200-2011 show SIP-AT improves clean accuracy while maintaining robustness, especially against low-$\varepsilon$ attacks, with a human perceptual study confirming low-perturbation adversaries remain hard to detect. The work demonstrates SIP-AT’s compatibility with various salience sources and architectures, offering a practical, information-preserving approach to adversarial defense with meaningful implications for deployment and further research.

Abstract

In this work we introduce Salient Information Preserving Adversarial Training (SIP-AT), an intuitive method for relieving the robustness-accuracy trade-off incurred by traditional adversarial training. SIP-AT uses salient image regions to guide the adversarial training process in such a way that fragile features deemed meaningful by an annotator remain unperturbed during training, allowing models to learn highly predictive non-robust features without sacrificing overall robustness. This technique is compatible with both human-based and automatically generated salience estimates, allowing SIP-AT to be used as a part of human-driven model development without forcing SIP-AT to be reliant upon additional human data. We perform experiments across multiple datasets and architectures and demonstrate that SIP-AT is able to boost the clean accuracy of models while maintaining a high degree of robustness against attacks at multiple epsilon levels. We complement our central experiments with an observational study measuring the rate at which human subjects successfully identify perturbed images. This study helps build a more intuitive understanding of adversarial attack strength and demonstrates the heightened importance of low-epsilon robustness. Our results demonstrate the efficacy of SIP-AT and provide valuable insight into the risks posed by adversarial samples of various strengths.

Figures (5)

• Figure 1: An illustration of Salient Information Preserving Adversarial Training (SIP-AT). Input images ① are first given to an annotator ② (either human or a machine) which generates estimates ③ of which regions of the image should be considered salient. The input images are then fed through the neural network that is to be trained. The standard adversarial samples ④ obtained for this model are combined (via element-wise multiplication) with the salience maps to produce adversarial samples ⑤ which preserve the salient regions of the original images. These salient information-preserved adversarial samples are then used to train the model.
• Figure 2: Examples of synthetically generated salience maps following equation \ref{['eq:Top-K_Pixels']}. Two samples are shown for each dataset. From left to right: CIFAR-10, CIFAR-100, and CUB-200-2011.
• Figure 3: Example of a question shown to survey participants.
• Figure 4: Examples comparing synthetic salience maps (middle column) against human generated salience maps (right column) for CUB-200-2011. For each image, the synthetic salience maps include regions that - while potentially useful or predictive - are external to the bird itself (e.g., while having a hummingbird feeder within an image may be correlated with the image having the label "hummingbird", the presence of the hummingbird feeder has no influence on the type of bird in the picture). In contrast, the human annotations are drawn exclusively on the bird.
• Figure 5: The rate at which humans indicate an image has been perturbed for varying degrees of attack strength $\varepsilon$. Here $\varepsilon = 0$ indicates clean or unperturbed images.