While convolutional neural networks (CNNs) have achieved excellent performances in various computer vision tasks, they often misclassify with malicious samples, a.k.a. adversarial examples. Adversarial training is a popular and straightforward technique to defend against the threat of adversarial examples. Unfortunately, CNNs must sacrifice the accuracy of standard samples to improve robustness against adversarial examples when adversarial training is used. In this work, we propose Masking and Mixing Adversarial Training (M2AT) to mitigate the trade-off between accuracy and robustness. We focus on creating diverse adversarial examples during training. Specifically, our approach consists of two processes: 1) masking a perturbation with a binary mask and 2) mixing two partially perturbed images. Experimental results on CIFAR-10 dataset demonstrate that our method achieves better robustness against several adversarial attacks than previous methods.

本文提出一种名为M2AT的方法来提高卷积神经网络（CNN）对抗攻击的鲁棒性，该方法包括掩蔽和混合对抗训练（M2AT）两个过程，其通过制造多样的对抗样本来缓解模型准确性与鲁棒性的平衡问题，并在CIFAR-10数据集上得到了比之前方法更好的对抗攻击鲁棒性。

掩模与混淆对抗训练