Home

Awesome

Revisiting Adversarial Training for ImageNet: Architectures, Training and Generalization across Threat Models

Naman D Singh, Francesco Croce, Matthias Hein

University of Tübingen

NeurIPS 2023

Paper

Abstract

While adversarial training has been extensively studied for ResNet architectures and low resolution datasets like CIFAR, much less is known for ImageNet. Given the recent debate about whether transformers are more robust than convnets, we revisit adversarial training on ImageNet comparing ViTs and ConvNeXts. Extensive experiments show that minor changes in architecture, most notably replacing PatchStem with ConvStem, and training scheme have a significant impact on the achieved robustness. These changes not only increase robustness in the seen $\ell_\infty$-threat model, but even more so improve generalization to unseen $\ell_1/\ell_2$-robustness.

readme_teaser

Code

Requirements (specific versions tested on): </br> fastargs-1.2.0 autoattack-0.1 pytorch-1.13.1 torchvision-0.14.1 robustbench-1.1 timm-0.8.0.dev0, GPUtil

Training

The bash script in run_train.sh trains the model model.arch. For clean training: adv.attack none and for adversarial training set adv.attack apgd.</br> For the standard setting as in the paper (heavy augmentations) set data.augmentations 1, model.model_ema 1 and training.label_smoothing 1.</br> To train models with Convolution-Stem (CvSt) set model.not_original 1.</br> The code does standard APGD adversarial training. </br>The file utils_architecture.py has model definitions for the new CvSt models, all models are built on top of timm imports.

Evaluating a model

The file runner_aa_eval runs AutoAttack(AA). Passing fullaa 1 runs complete AA whereas fullaa 0 runs the first two attacks (APGD-CE and APGD-T) in AA.</br>

Checkpoints - ImageNet $\ell_{\infty} = 4/255$ robust models.

The link location includes weights for the clean model (the one used as initialization for Adversarial Training (AT)), the robust model, and the full-AA log for $\ell_{\infty}, \ell_2$ and $\ell_1$ attacks. </br> Note: the higher resolution numbers use the same checkpoint as for the standard resolution of 224 - only evaluation is done at the higher resolution mentioned.</br>

Model-Nameepochsres.Clean acc.AA - $\ell_{\infty}$ acc.Checkpoint (clean-init </br> and robust)
ConvNext-iso-CvSt30022470.245.9Link
ViT-S30022469.244.0Link
ViT-S-CvSt30022472.548.1Link
ConvNext-T30022472.448.6Link
ConvNext-T-CvSt30022472.749.5Link
ViT-M-CvSt5022472.448.8Link
ConvNext-S-CvSt5022474.152.4Link
ViT-B5022473.350.0Link
ConvNext-B5022475.654.3Link
ViT-B-CvSt25022476.354.7Link
ConvNext-B-CvSt25022475.956.1Link
ConvNext-B-CvSt*---25676.957.3Link
ConvNext-L-CvSt10022477.057.7Link
ConvNext-L-CvSt*---32078.259.4Link
*: increased resolution (only for evaluation) also leads to increased FLOPs.

Checkpoints along with accuracy and robustness logs for ImageNet models finetuned to be robust at $\ell_\infty = 8/255$ are available here: Link


<h4>Citation</h4>

If you use our code/models cite our work using the following BibTex entry:

@inproceedings{singh2023revisiting,
  title={Revisiting Adversarial Training for ImageNet: Architectures, Training and Generalization across Threat Models},
  author={Singh, Naman D and Croce, Francesco and Hein, Matthias},
  booktitle={NeurIPS},
  year={2023}}