Conflict-Aware Adversarial Training

Weakness 2 and Question 2. The adversarial attacks used to evaluate the adversarial training methods mainly belong to gradient-based methods, more optimization-based attacks can be used to evaluate the effectiveness of the proposed method. How well does the proposed method perform against more optimization-based attacks (e.g., C&W [2], DDN[3])?

Response. Thank you for bringing this to our attention. We have evaluated our method against optimization-based attacks such as C&W [2] and DDN [3]. Please refer to Table 3 in the appendix for the results. We have also included results for black-box attacks like the Square attack [4] in Table 3. These evaluations show that CA-AT achieves better robustness against both black-box and optimization-based attacks.

Weakness 3 and Question 3. The main comparison method in this manuscript is vanilla AT. There are many improved adversarial training methods that can be considered for comparison. How effective is the proposed method compared to the improved AT (e.g., TRADES, MART)?

Response. Thank you for pointing this out. We would like to clarify that Vanilla AT does not represent a single baseline but rather a paradigm that existing works use to achieve the trade-off between standard accuracy and adversarial accuracy. As presented in Equation 2, $\lambda L_{a} + (1-\lambda) L_{c}$, the adversarial loss $L_{a}$ can be any improved AT method you mentioned (e.g., TRADES, MART). Moreover, we can incorporate these improved adversarial loss functions with CA-AT.

For TRADES [5] and CLP [6], please refer to our existing results in Figure 6 in the main draft and Figures 10 and 11 in the appendix. Additionally, we have added results comparing Vanilla AT and CA-AT using MART [7] as the adversarial loss function, where the superiority of CA-AT still holds.

[1] Bag of Tricks for Adversarial Training, ICLR, 2021.

[2] Towards Evaluating the Robustness of Neural Networks, IEEE SP, 2017.

[3] Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses, CVPR, 2019.

[4] Square attack: a query-efficient black-box adversarial attack via random search, ECCV, 2020.

[5] Trade-off between robustness and accuracy of vision transformers, CVPR 2023

[6] Adversarial logit pairing. arXiv preprint arXiv:1803.06373, 2018.

[7] Improving Adversarial Robustness Requires Revisiting Misclassified Examples, ICLR 2020

We truly appreciate the great comments from the reviewer, and here are our responses to the proposed questions. If you find our response satisfactory, please consider raising your score.

We truly appreciate your constructive comments, and here are our responses to your proposed weaknesses and questions.

Weakness 1 and Question 1. Some detailed parameters are not clear, for example, the $\gamma$ and the batch size. According to the study in [1], the batch size is related to the learning rate and they will influence the natural accuracy and robust accuracy. How are the hyperparameter $\gamma$ and the batch size set? What effect do they have on the performance of the proposed method？

Response. Thank you for raising concerns about the sensitivity of hyperparameters such as batch size and $\gamma$. The roles of these two hyperparameters are different; please allow us to explain them separately.

1. Projection Margin Threshold $\gamma$: This is a specific hyperparameter for CA-AT. It serves a similar role to the linear trade-off factor $\lambda$ in Vanilla AT (Eq 2), which controls the trade-off between standard accuracy and adversarial accuracy. In Figures 4–7, we plotted the trade-off curves for Vanilla AT and CA-AT produced by different $\lambda$ and $\gamma$, respectively. These figures show that CA-AT can achieve better trade-offs across various scenarios.

2. Batch Size: This is a training hyperparameter. The paper [1] you cited draws attention to the influence of training hyperparameters such as batch size and learning rate on performance. We conducted additional experiments for the ablation study on Vanilla AT and CA-AT with different batch sizes (Figure 13(b) in the appendix) and learning rates (Figure 13(a) in the appendix). Our observation is that although batch size and learning rate affect the standard accuracy and adversarial accuracies against various attacks, CA-AT consistently leads to better standard performance and adversarial robustness across different batch sizes and learning rates.

Question 1 The exact form of $\lambda^{*}$ is interesting. Could you elaborate on why this form was chosen? What was the inspiration, and what benefits does it offer?

Response Thank you for your interest in the form of $\lambda^*$. The form of $\lambda^*$ was inspired by our desire to adaptively adjust the gradient for parameter updating based on the level of gradient conflict. Specifically, $\lambda^*$ depends on the $\phi$, which is the cosine similarity between the clean gradient $g_c$ and the adversarial gradient $g_a$.

By dynamically adjusting $\lambda^*$ based on the degree of conflict, CA-AT can prioritize either the standard or adversarial loss depending on which gradient direction is more favorable at a given training step. This adaptive mechanism ensures that, in scenarios where the gradients are in significant conflict, the influence of adversarial loss is reduced to avoid harming standard accuracy, and vice versa. This flexibility allows CA-AT to achieve a better balance than a fixed trade-off.

We will add a more detailed discussion on the inspiration and motivation for the specific form of $\lambda^*$ in the revised manuscript.

[1] Trade-off between robustness and accuracy of vision transformers, CVPR 2023

Weakness 3 and Question 2 Additional baselines that achieve similar levels of balance should be included, such as other advanced weighted methods or gradient operations. Using only Vanilla AT as a baseline is insufficient. Please include additional baselines in the experimental section to allow for a more extensive and objective comparison.

Response. Thank you for pointing this out. We would like to clarify that Vanilla AT does not represent a single baseline but a paradigm that existing works use to achieve the trade-off between standard accuracy and adversarial accuracy. As shown in Equation 2, $\lambda L_{a} + (1-\lambda) L_{c}$, the adversarial loss $L_{a}$ can be designed using other methods such as TRADES [1]. We can also incorporate these improved adversarial loss functions with CA-AT. We have conducted experiments where the adversarial loss is Cross Entropy, TRADES, CLP, and MART. Please refer to Figures 6, 10, 11, and Table 6in our main paper and appendix.

We believe the 'advanced weighted methods' you mentioned are methods that adjust $\lambda$ in Equation 2 during training to achieve a better trade-off between standard accuracy and adversarial accuracy. We conducted a thorough literature review on adversarial training but have not found any such work. To the best of our knowledge, our work is the first in this direction. If you are aware of any related work, could you please let us know? We can conduct a comparative study based on them as soon as possible. Additionally, regarding other methods utilizing gradient operations during adversarial training, we believe our paper is the first to observe the problem of gradient conflict and to propose a method based on gradient operations to alleviate this problem. Please check our clarification on this in the Introduction section.

We truly appreciate the great comments from the reviewer, and here are our responses to the proposed questions. If you find our response satisfactory, please consider raising your score.

Weakness 1 Please provide detailed accuracy results for experiments on ViT and Swin-T in table format.

Response. Sure, here is a case for Swin-T as follows. However, we would like to clarify that Figure 5 and Figure 5 are clearer and show the tradeoff curve significantly compared to the table.

Weakness 2 Does CA-AT also perform well on larger datasets such as ImageNet?

Response. We appreciate your suggestion. However, given the substantial computational resources required for adversarial training on ImageNet and the limitations we face in academic institutions, conducting experiments on ImageNet is not feasible within the rebuttal period. Nevertheless, we have added new results using the Tiny ImageNet dataset, as shown in Table 5 in the appendix, which further demonstrates the superior performance of our proposed method on relatively large-scale datasets. We plan to include results on ImageNet in future work.

Weakness 3. Some other suggestions: (1) Add the legends for Figure 6b and 6c. (2) Conduct experiments on ImageNet. (3)Run multiple-trails and report the error bar.

Response.

(1) Thank you for pointing this out. We will update our draft accordingly and added the legends to Figures 6b and 6c.

(2) We appreciate your suggestion. However, given the substantial computational resources required for adversarial training on ImageNet and the limitations we face in academic institutions, conducting experiments on ImageNet is not feasible within the rebuttal period. Nevertheless, we have added new results using the Tiny ImageNet dataset, as shown in Table 5 in the appendix, which further demonstrate the superior performance of our proposed method on relatively large-scale datasets. We plan to include results on ImageNet in future work.

(3) Thank you for the suggestion. While including error bars is indeed valuable, it is not common practice in adversarial machine learning literature (e.g., [1]). We are currently running additional experiments to include error bars as you suggested; however, due to the short rebuttal period, we have prioritized addressing your valuable feedback in Weakness 2. We will update you with the new numerical results and error bars as soon as they are completed.

[1] Bag of Tricks for Adversarial Training, ICLR, 2021.

Weakness 2. One should conduct an ablation study by using traditional $\lambda$-weighted mean of $g_a$ and $g_c$ when $\phi \leq \gamma$ and only $g_c$ when $\phi > \gamma$, as I suspect that this might be the reason for the performance boost.

Response. Thank you for the constructive suggestion, which led us to further analyze the performance gain of CA-AT and investigate whether it is brought about by the gradient projection or just the threshold. Based on your suggestion, we conducted an ablation study using the traditional $\lambda$-weighted mean of $g_a$ and $g_c$ when $\phi \leq \gamma$ and only $g_c$ when $\phi > \gamma$. We define this ablated version of CA-AT as CA-AT-AV in Algorithm 2 in the appendix. The comparison results shown in Figure 12 for Vanilla AT, CA-AT, and CA-AT-AV demonstrate that the performance boost is indeed due to the gradient projection, confirming the effectiveness of our method in improving the trade-off between standard accuracy and adversarial accuracy.

We truly appreciate the great comments from the reviewer, and here are our responses to the proposed questions. If you find our response satisfactory, please consider raising your score.

Weakness 1. The proposed factor seems a bit bizarre to me. Take Figure 1 as an example. Any $g_a$ that ends in the dotted line with $\arccos(g_a, g_c) > \gamma$ will result in the same $g^*$, which doesn't make sense to me. Imagine $g_a$ equals $g_\circ$ in Figure 1, and one will still get the same $g^*$.

Response. Thank you for expressing your concerns regarding the design of the CA-AT algorithm. Our intention for designing CA-AT is to ensure that the final gradient $g_{*}$ is always aligned to avoid any harmful directional conflicts with the standard gradient $g_{c}$, as standard accuracy is highly prioritized in industrial applications of deep learning.

It is true that any $g_{a}$ satisfying $arccos(g_{a}, g_{c}) > \gamma$ will be projected onto the cone around the standard gradient $g_{c}$ to obtain $g_*$. (please check Lines 75–75). This projection is calculated in Equation 4. Besides, the $g_*$ are not the 'same'. Imagine in 3-dimensional or high-dimensional space, assuming we have a set of $g_{a}$ that any item satisfies $\arccos(g_a, g_c) > \gamma$, we will project all of them onto the cone of $g_{c}$ and get a new set of $g_{*}$ according to CA-AT. Please note that Figure 1 illustrates this concept in 2-dimensional space for simplicity, which does not fully capture the nuances present in higher-dimensional spaces. We hope this clarification addresses your concern.

We hope this explanation addresses your concern. If not, could you please elaborate on why you believe that any $g_a$ ending on the dotted line with $\arccos(g_a, g_c) > \gamma$ would result in the same $g_*$, and why this does not make sense to you?

I appreciate the authors’ clarification. My primary concern remains with the cone projection operation, which seems more like an engineering solution than a fundamental approach to me. Other reviewers have also raised concerns regarding the novelty of the method. However, the performance of the proposed method is quite strong as reported, which is further demonstrated by the ablation study provided during the rebuttal. Therefore, I would like to increase my score to 6.

Question 1. In line 268, a reference is missing.

Response. Thank you for catching this typo. We have corrected it our draft.

Question 2. The authors argue that the weighted-average method does not provide the best tradeoff for the standard performance and adversarial robustness, but in my mind, CA-AT also doesn't, like Vanilla AT can also beat CA-AT in your FAB experiments.

Thank you for pointing this out. We believe your concern arises from the FAB results for ResNet18 in Table 1 (please correct us if you are referring to other results in our draft). It is true that Vanilla AT can outperform CA-AT in defending against FAB attacks when the L-infinity bound is larger than $8/255$.

However, CA-AT outperforms Vanilla AT against many other attacks, which are much stronger than FAB. (e.g. Vanilla AT performs 0.809 on FAB while only 0.3996 on AutoPGD). Additionally, when we use ResNet34 instead of ResNet18, CA-AT achieves better performance against FAB attacks across different L-infinity bounds.

Question 3. What leads to the large fluctuation during epoch 60-90 in the middle image in Fig.3(a)?

Response: Thank you for pointing out this interesting observation. We believe you are referring to the fluctuation of the red line (Ours, $\gamma=0.9$) between epochs 60–90. This can be attributed to the learning rate schedule. During these epochs, the one-cycle learning rate schedule we used (please see Lines 371–374) involves a high learning rate, which can result in increased instability and thus larger fluctuations for the gradient conflict $\mu$. In addition, a similar fluctuation occurs in the blue line (Vanilla AT, $\lambda=0.5$) during epochs 60–90 in the right subfigure of Fig. 3(a). Our conclusion is that choosing an appropriate learning rate is important to reduce the gradient conflict $\mu$ for both Vanilla AT and CA-AT, which can be explored further in future work. We have added a related discussion of this phenomenon in Section 3.2.

Question 4. Is the initial learning rate 0.4 the normal setting? As I remember the decayed learning rate schedule is more common.

Response. You are correct that a decayed learning rate schedule is a common practice in adversarial training. In our experiments, we used an initial learning rate of 0.4 combined with the one-cycle learning rate policy (Lines 370-377). This approach has been shown to converge faster [8]. To further address your concern, we also conducted an ablation study for different initial learning rates ($lr=0.1,0.2,0.3$). Please check the results in Figure 13 in the Appendix.

[1] Understanding and Improving Fast Adversarial Training, NeurIPS 2020

[2] Quantifying the preferential direction of the model gradient in adversarial training with projected gradient descent, Pattern Recognition 2023

[3] Explaining and Harnessing Adversarial Examples, ICLR 2015

[4] Towards Deep Learning Models Resistant to Adversarial Attacks, ICLR 2018

[5] Theoretically principled trade-off between robustness and accuracy, ICML 2019

[6] Once-for-all adversarial training: In-situ tradeoff between robustness and accuracy for free, NeurIPS 2020

[7] Trade-off between robustness and accuracy of vision transformers, CVPR 2023

[8] Improving Adversarial Robustness Requires Revisiting Misclassified Examples, ICLR 2020

We truly appreciate the great comments from the reviewer, and here are our responses to the proposed questions. If you find our response satisfactory, please consider raising your score.

Weakness 1. The proposed CA-AT aims to manipulate the gradient of the clean examples and the adversarial example, the idea is not novel, either for input gradient alignment [1] or model gradient alignment [2].

Response: Thank you for pointing this out and for bringing these related papers to our attention. We acknowledge the relevance of input gradient alignment [1] and model gradient alignment [2], and we would like to clarify how our proposed CA-AT fundamentally differs from these two works.

Input gradient alignment [1] addresses catastrophic overfitting, where a model rapidly loses adversarial robustness within a single training epoch when trained with FGSM. Their method alleviates this problem by improving the quality of FGSM-generated adversarial examples through a regularization term, $(1 - \cos (\nabla_x L(x, y), \nabla_x L(x + \delta, y)))$ to align the gradients within the perturbation set explicitly. In contrast, [2] focuses on enhancing the alignment of model gradients by defining a "preferential direction" toward the nearest incorrect class boundary using GANs, aiming to improve how well the model's gradient direction matches an ideal defensive direction against adversarial changes.

While both works contribute valuable insights to adversarial training, the problems they addressed are different from the gradient conflict issue that we defined and observed (Lines 49–79), where the directions of the standard gradient and adversarial gradient may contradict each other during adversarial training. Additionally, neither [1] nor [2] proposes methods to directly manipulate the model's gradients as we did in CA-AT.

We understand that the similar terminology might have caused confusion. To clarify, we will cite and discuss these two papers in the related works section.

Dear Reviewer bDvp,

Thank you again for dedicating your time and effort to review our paper!

With just under two days remaining for the discussion, we would love to know if we have adequately addressed your concerns and whether this has influenced your score. We have put a lot of effort into updating our work and would value your feedback. We are also happy to conduct any further discussion. Thank you!