In this paper, we study fast training of adversarially robust models. From the analyses on the state-of-the-art defense method, i.e., the multi-step adversarial training~\cite{madry2017towards}, we hypothesize that the gradient magnitude links to the model robustness. Motivated by this, we propose to perturb both the image and the label during training, which we call Bilateral Adversarial Training (BAT). To generate the adversarial label, we derive an closed-form heuristic solution. To generate the adversarial image, we use one-step targeted attack with the target label being the most confusing class. In the experiment, we first show that random start and the most confusing target attack effectively prevent the label leaking and gradient masking problem. Then coupled with the adversarial label part, our model significantly improves the state-of-the-art results. For example, against PGD100 attack with cross-entropy loss, on CIFAR10, we achieve 63.7\% versus 47.2\%; on SVHN, we achieve 59.1\% versus 42.1\%; on CIFAR100, we achieve 25.3\% versus 23.4\%. Note that these results are obtained by the fast one-step adversarial training.

本文提出了一种Bilateral Adversarial Training方法，使用一步定向攻击生成对抗样本来训练一个抗攻击性更强的神经网络，实验结果表明该方法对于对抗性攻击的鲁棒性有显著提升。

双边对抗训练：快速训练更健壮的模型以抵御对抗性攻击