pith. sign in

arxiv: 1904.12843 · v2 · pith:YD4L4FAKnew · submitted 2019-04-29 · 💻 cs.LG · cs.CR· cs.CV· stat.ML

Adversarial Training for Free!

classification 💻 cs.LG cs.CRcs.CVstat.ML
keywords adversarialtrainingattackscostexamplesfreestrongalgorithm
0
0 comments X
read the original abstract

Adversarial training, in which a network is trained on adversarial examples, is one of the few defenses against adversarial attacks that withstands strong attacks. Unfortunately, the high cost of generating strong adversarial examples makes standard adversarial training impractical on large-scale problems like ImageNet. We present an algorithm that eliminates the overhead cost of generating adversarial examples by recycling the gradient information computed when updating model parameters. Our "free" adversarial training algorithm achieves comparable robustness to PGD adversarial training on the CIFAR-10 and CIFAR-100 datasets at negligible additional cost compared to natural training, and can be 7 to 30 times faster than other strong adversarial training methods. Using a single workstation with 4 P100 GPUs and 2 days of runtime, we can train a robust model for the large-scale ImageNet classification task that maintains 40% accuracy against PGD attacks. The code is available at https://github.com/ashafahi/free_adv_train.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Homogenization of $\ell_2$-Adversarial Training in High-Dimensions: Exact Dynamics under Stochastic Gradient Descent

    math.OC 2026-06 unverdicted novelty 7.0

    Derives ODE deterministic equivalents and an adversarial homogenized SDE for SGD iterates in high-dim ℓ2-adversarial training, showing no constant learning rate ensures monotone descent for single-class adversarial le...

  2. Fast Adversarial Attacks with Gradient Prediction

    cs.LG 2026-05 unverdicted novelty 6.0

    Gradient prediction via linear regression on hidden states recovers most FGSM attack strength at 532% higher throughput by avoiding backward passes.

  3. SORA: Free Second-Order Attacks in Fast Adversarial Training

    cs.LG 2026-05 unverdicted novelty 5.0

    SORA is an adaptive step-size adversarial training algorithm that formalizes epsilon overfitting, introduces the PertAlign metric to predict catastrophic overfitting, and dynamically adjusts perturbations to achieve s...