DAT: Improving Adversarial Robustness via Generative Amplitude Mix-up in Frequency Domain

Thank you for your thoughtful review. We have provided our detailed responses below.

W1: Complexity

R1: Our DAT comprises only 2 modules: the trained model and the adversarial amplitude generator (AAG). Due to the AAG's simple four-layer linear architecture, DAT's time consumption remains comparable to existing methods. Foremost, as shown in Table C.1, DAT significantly enhances model robustness against various adversarial attacks.

Table C.1: Time Consumption and Memory Cost on CIFAR-10 with ResNet-18

W2: Unclear Descriptions and Missing Details

R2: Please see the answers below.

Q1: Impact of Adversarial Perturbation on Amplitude and Phase

A1: In Figure 1, the phase (3rd column) and amplitude (5th column) spectra are affected by adversarial perturbation. Moreover, the phase patterns (2nd column), particularly within the red rectangular, are damaged, while the amplitude patterns (4th column) are rarely affected. Since models rely on patterns, especially semantics in phase patterns [i], to make predictions, AE with damaged phase patterns hinder accurate prediction. Further results can be found in Figures 1-4 of the attached PDF within the global Author Rebuttal.

[i] Yin et al. A Fourier perspective on model robustness in computer vision. NeurIPS 2019.

Q2: Learned Features and Theoretical Analysis

A2:

• Learned Features: Indeed, we assume $h$ can extract features amplitude and phase patterns, respectively, since it is a widely accepted assumption within feature learning theory [j, k, l]. In practice, $h$ can extract phase patterns (semantics) and amplitude patterns (color and style) respectively [i, l], which can be readily achieved using general networks in conjunction with the discrete Fourier transform, eliminating the need for specifically defined networks. Such decoupling methods are commonly adopted. For instance, [i] represents Fourier information as amplitude and phase patterns, while [m] has demonstrated that CNNs (e.g., ResNet-50) can inherently capture these amplitude and phase patterns without meticulously designed components.

• Sketch of Theoretical Analysis: Given that DAT utilizes AAG to generate adversarial amplitude, which is then combined with the benign image's phase to augment data, it naturally follows that during AT, amplitude differences between augmented and original datasets are more pronounced than phase differences (Assumption 3.1). As a result, to achieve convergence during empirical risk minimization, the model regularizes the weights corresponding to amplitude features (Theorem 3.2), thereby reducing their influence on predicted labels (Corollary 3.3), and consequently shifting the focus towards phase features. We hope this explanation addresses your questions.

[j] Ilyas et al. Adversarial examples are not bugs, they are features. NeurIPS 2019.

[k] He et al. Data augmentation revisited: Rethinking the distribution gap between clean and augmented data. arXiv 2019.

[l] Xu et al. A Fourier-based framework for domain generalization. CVPR 2021.

[m] Chen et al. Amplitude-phase recombination: Rethinking robustness of convolutional neural networks in frequency domain. ICCV 2021.

Q3: More Explanation on Time and Memory Costs

A3: For clearer comparison, we separately analyze the time consumption for AE generation and model optimization (updating the model's parameters), and present the memory costs in Table C.1. As shown, the majority of time consumption in DAT is attributed to AE generation. Thanks to our efficient AE generation strategy, DAT exhibits comparable time consumption to baselines. Additionally, the AAG, a four-layer linear model, demands little training time. Since both benign and recombined samples, along with their AEs, are used in model optimization, DAT takes roughly twice the time for optimization compared to baselines, e.g., PGD-AT and TRADES.

Q4: Mix-up Operation Design

A4:

• Linear Mix-up: The linear mix-up operation is designed to preserve the energy of the amplitude spectrum and maintain the original amplitude information, since linear mix-up is a simple and effective method for augmenting data with less impact on the sample's original information [n, o]. Otherwise, the original amplitude could be compromised, thereby hindering accurate model predictions.

• $\lambda$ Distribution: To investigate the influence of $\lambda$, we conduct experiments on CIFAR-10 using ResNet-18 with $\lambda$ sampled from $\mathrm{Uniform}(0,1)$, $\mathrm{Beta}(1,1)$, and $\mathcal{N}(0,1)$. Given that $\mathcal{N}(0,1)$ can yield negative values, we transform $\lambda$ into $\mathrm{sigmoid}(\lambda)$. Table C.2 suggests that the distribution type of $\lambda$ has little impact on the model's robust and natural performance.

Table C.2: DAT with Different $\lambda$ Distributions

[n] Yun et al. Cutmix: Regularization strategy to train strong classifiers with localizable features. CVPR 2019.

[o] Berthelot et al. Mixmatch: A holistic approach to semi-supervised learning. NeurIPS 2019.

Discussion of Limitations

R3: Due to robust overfitting, DAT without AWP needs to be trained for a limited number of epochs, which restricts its performance. Moreover, while DAT primarily focuses on defending against adversarial attacks, other forms of image corruption (e.g., Gaussian noise and defocus blur) can also affect the model's performance. DAT requires further development to strengthen its protection against a broader spectrum of image corruptions. A comprehensive discussion will be included in the final version of the paper.

Dear Reviewer，

We greatly appreciate your responses and score improvements. Also, the final version of the paper will be revised based on your comments.

The rebuttal mostly addresses my concerns. Therefore, I decide to increase the score.

Thank you for your review. Please find our responses below.

W1: Natural Accuracy Compared to DAJAT [1]

R1: Our DAT utilizes only 1 augmentation per benign training sample to prioritize speed and simplicity in this paper, while DAJAT applies 2 and 3 data augmentations integrating AWP, SWA, and variable $\epsilon$ and $\alpha$ to achieve the natural performance you mentioned. Moreover, DAT exhibits superior robustness relative to DAJAT, albeit with a trade-off in natural accuracy. To ensure a fair comparison under identical training settings, we employ the adversarial amplitude generator in DAT to produce 3 adversarial amplitudes, resulting in 3 recombined data for each benign sample. Using these 3 recombined data, we extend our DAT to include 2 and 3 augmentations, integrating variable $\epsilon$ and $\alpha$, AWP, and SWA as in DAJAT [1]. Furthermore, to illustrate the trade-off between natural and robust accuracy, we select the checkpoint with the best performance on natural validation data. As illustrated in Table A.1, where DAJAT's performance is selected from [1], with 110 and 200 training epochs, we present a comparison of natural accuracy and robustness (AA) between the two methods on CIFAR-10 and CIFAR-100 with ResNet-18. When evaluated under the same augmentation conditions and experimental settings, our DAT outperforms DAJAT in both robustness and natural accuracy, with a smaller increase in time consumption per training epoch.

Table A.1: Comparison of DAJAT and DAT with the Same Settings

W2: Robust Accuracy Compared to [47]

R2: We infer that you are referring to Rebuffi et al. [47] instead of ST [37]. In our DAT, to achieve a better trade-off between the model's performance and training time consumption, for results of DAT in Table 2, we use only 5 iteration steps for AE generation of both benign and recombined samples, whereas [47] employs 10 iteration steps for AE generation of both benign and augmented samples with SWA. As reflected in Table A.2, when integrated with AWP and SWA, DAT delivers superior natural and robust performance compared to [47] with a 5-step iteration, which uses about half of training time consumption than [47] as shown in Table A.3. Moreover, to facilitate a fair comparison with [47], we conduct experiments on CIFAR-10 using a 10-step iteration for DAT's AE generation. With identical iteration steps, our DAT achieves an approximate 0.32% improvement in robustness over [47]. For DAT with AWP and SAW, extending the iteration step to 10 can enable it to secure approximately 1% improvement in robustness and 2.1% in natural accuracy over [47], thus highlighting a more favorable trade-off between generalization and robustness.

Table A.2: Comparison between [47] and DAT with WRN-34-10

Table A.3: Comparison of Time Consumption per Epoch with WRN-34-10 on CIFAR-10

W3: Complexity

R3:

• For DAJAT [1]: Our proposed DAT involves only 2 hyperparameters, $\beta$, and $\omega$, which need to be explored by experiments. In contrast, DAJAT involves additional complexity beyond the balance parameters $\beta$ and $\omega$; it requires careful scheduling for adjusting adversarial perturbation $\epsilon$, step size $\alpha$, and iteration steps, due to its use of variable $\epsilon$, $\alpha$, and iteration steps in AT. Moreover, the schedules for tuning adversarial perturbation $\epsilon$, step size $\alpha$, and iteration steps need to be adjusted continuously throughout the entire training epoch in DAJAT.

• For [47]: In the case of [47], a combination of data augmentation strategies is employed alongside the traditional TRADES method with 10 steps for AE generation and variable $\alpha$, whereas our proposed DAT requires only 5 steps per sample to generate AE. Consequently, as shown in Table A.3, [47] demands nearly double the training time compared with our DAT when augmentations are applied to benign samples.

Despite its multi-component structure and joint optimization, our method remains simpler than DAJAT and [47] in terms of both hyperparameter tuning and computational complexity.

To provide a clearer understanding of the statements "DAJAT [1] applies 2 and 3 data augmentations" and "we extend our DAT to include 2 and 3 augmentations", we offer a detailed explanation using a benign sample $(\mathbf{x},y)\in\mathcal{D}$ as an example.

For adversarial training with model $f$ using DAJAT [1], augmented data is generated as follows:

• 2 augmentations (#Aug. 2):

  • Generate augmented data via AutoAugment:

    $\mathbf{x}_1$=$\mathrm{AutoAugment}(\mathbf{x}), \quad \mathbf{x}_2$=$\mathrm{AutoAugment}(\mathbf{x})$.

  • Generate adversarial examples for $\mathbf{x}$, $\mathbf{x}_1$, and $\mathbf{x}_2$ as $\mathbf{x}^{\prime}$, $\mathbf{x}_1^{\prime}$, and $\mathbf{x}_2^{\prime}$, respectively.

  DAJAT then uses $\mathbf{x}$, $\mathbf{x}_1$, $\mathbf{x}_2$, $\mathbf{x}^{\prime}$, $\mathbf{x}_1^{\prime}$, and $\mathbf{x}_2^{\prime}$ for training.

• Similarly, DAJAT with 3 augmentations (#Aug. 3) follows the same procedure.

For our DAT with IDFT $\mathcal{F}^{-1}(\cdot)$, model $f$, and adversarial amplitude generator $G$, recombined data (which can be regarded as augmented data) is generated as follows:

• 2 recombined data (#Aug. 2):

  • Generate adversarial amplitude:

    $\mathcal{A_1}(\mathbf{x})=G (f(\mathbf{x}), \mathbf{z}_1), \quad \mathrm{where}\ \mathbf{z}_1 \sim \mathcal{N}(0,1)$,

    $\mathcal{A_2}(\mathbf{x})=G (f(\mathbf{x}), \mathbf{z}_2), \quad \mathrm{where}\ \mathbf{z}_2 \sim \mathcal{N}(0,1)$.

  • Obtain recombined data:

    $\hat{\mathbf{x}}_1=\mathcal{F}^{-1}(\lambda_1 \cdot \mathcal{A_1}(\mathbf{x})+(1-\lambda_1)\cdot \mathcal{A}(\mathbf{x}),\mathcal{P}(\mathbf{x})), \quad \mathrm{where}\ \lambda_1\sim \mathrm{Uniform}(0,1)$,

    $\hat{\mathbf{x}}_2=\mathcal{F}^{-1}(\lambda_2 \cdot {\mathcal{A_2}}(\mathbf{x})+(1-\lambda_2)\cdot \mathcal{A}(\mathbf{x}),\mathcal{P}(\mathbf{x})), \quad \mathrm{where}\ \lambda_2\sim \mathrm{Uniform}(0,1)$.

  • Generate adversarial examples with the same settings as DAJAT for $\mathbf{x}$, $\hat{\mathbf{x}}_1$, and $\hat{\mathbf{x}}_2$ as $\mathbf{x}^{\prime}$, $\hat{\mathbf{x}}_1^{\prime}$, and $\hat{\mathbf{x}}_2^{\prime}$, respectively.

  Our DAT then uses $\mathbf{x}$, $\mathbf{x}_1$, $\mathbf{x}_2$, $\mathbf{x}^{\prime}$, $\mathbf{x}_1^{\prime}$, and $\mathbf{x}_2^{\prime}$ for training, following the settings of DAJAT.

• Similarly, DAT with 3 recombined data (#Aug. 3) follows the same strategy.

We hope this explanation provides greater clarity on the augmentations used in our approach. If there are any further questions or points that require clarification, we would be most grateful for your feedback. If our rebuttal has satisfactorily addressed your concerns, we humbly request that you consider reflecting this positively in your rating score.

Thank you once again for your time, thoughtful consideration, and continued support.

Dear Reviewer,

Thank you very much for your prompt response and for your continued engagement with our submission. We appreciate the opportunity to clarify our approach, and below we provide detailed responses to the two points you raised.

"DAJAT applies 2 and 3 data augmentations"

Regarding your question on DAJAT [1], the natural accuracy that you referenced is achieved by generating 2 or 3 augmented data samples for each benign sample using the AutoAugment strategy. These benign and augmented samples, along with their corresponding adversarial examples, are then utilized in the training process.

"we extend our DAT to include 2 and 3 augmentations"

In our Dual Adversarial Training (DAT) approach, the recombined data with mixed amplitude spectra serve as augmented samples for each benign sample. To ensure a fair comparison with DAJAT [1], we employ the adversarial amplitude generator to produce 3 distinct adversarial amplitude spectra. These spectra are subsequently mixed with the amplitude spectrum of the benign sample. By combining the phase spectrum of the benign sample with each of these mixed amplitude spectra, we generate 3 recombined data samples. These are considered as 3 augmentations of the original benign sample. For a more detailed explanation of the augmentation process, including formulas, please refer to the subsequent comment titled (Continued) Re: Type of augmentations.

Using these recombined data, we conduct the experiments detailed in Table A.1, providing a comparison with DAJAT using 2 and 3 augmentations. Our results indicate that our DAT method offers a superior accuracy-robustness trade-off under identical experimental conditions.

We hope this explanation clarifies your concerns. We greatly appreciate your valuable feedback and look forward to any further questions or comments you may have.

Dear Reviewer,

We are truly grateful for your prompt response and for adjusting your rating. Your thoughtful feedback has been invaluable in refining our work, and we sincerely appreciate the time and effort you have dedicated to our submission. We will incorporate your suggested experiments and further clarifications in the final version.

Thank you once again for your support.

Thank you for your thorough and detailed reviews. Please find our responses below.

W1: Additional Experiments against Feature Space Attacks

R1: In Table B.1 (more results in Tables 1-4 of attached PDF), we present results assessing the defense capability against feature space attacks [a, b]. We select StyLess+MTDI (SMTDI) and StyLess+MTDSI (SMTDSI) from [a], along with DTMI-CE-SU (DCS) and DTMI-Logit-SU (DLS) target to class 1 from [b], and perform experiments on ImageNette as in [c]. We adopt surrogate ResNet-50 $\rightarrow$ targets [DenseNet-121, ViT-S] and surrogate DenseNet-121 $\rightarrow$ targets [ResNet-50, ViT-S] execute black-box transfer attacks. AT on DenseNet-121 and ResNet-50 follow the same settings as Tiny-ImageNet in the paper, while ViT-S is trained adversarially as in [c]. For the challenging SMTDSI attack, compared to the previous SOTA ST, our proposed DAT an average robustness improvement of approximately 4.9% across all four scenarios. Moreover, since DAT performs AT in pixel space, its performance against feature space attacks is currently less satisfactory[d], which we plan to improve in the future.

Table B.1: Model's Performance against $\ell_{\infty}$ Threat with $\epsilon=\frac{16}{255}$ of Feature Space Attacks

[a] Liang and Xiao. StyLess: boosting the transferability of adversarial examples. CVPR 2023.

[b] Wei et al. Enhancing the self-universality for transferable targeted attacks. CVPR 2023.

[c] Mo et al. When adversarial training meets vision transformers: Recipes from training to architecture. NeurIPS 2022.

[d] Xu et al. Towards feature space adversarial attack by style perturbation. AAAI 2021.

W2: Additional Experiments with More Backbones

R2: In Table B.2, we provide results on CIFAR-10 with Inception_v3, DenseNet-121, and ViT-S. The settings for Inception_v3, and DenseNet-121 remain consistent with those mentioned in the paper, while ViT-S follows [c]. Compared to the previous SOTA ST, DAT achieves robustness improvements of 0.63%, 0.90%, and 0.61% against AA across various backbones, demonstrating its versatility and effectiveness on a range of deep models.

Table B.2: Experimental Results with More Backbones against $\ell_{\infty}$ Threat with $\epsilon=\frac{8}{255}$

W3: Additional Experiments on ImageNet

R3: In Table B.3, we show results on ImageNet-1K, which adopt settings and baselines' results from [h]. It is worth noting that existing AT methods with multiple iteration steps for AE generation do not provide results on ImageNet-1K, since AT with a 10-step AE generation on ImageNet-1K needs approximately one week. Due to single iterative step AE generation using less time, some fast AT methods based on FGSM [e, f, g, h] typically perform experiments on ImageNet-1K. Consequently, considering the time limitation of rebuttal, to satisfy your suggestion of providing results on ImageNet-1K, we combine DAT with several fast AT methods [e, f, g, h] and compare its performance with these methods. For the previous SOTA FGSM-PGK, DAT combined with FGSM-PGI obtains robustness improvements of 2.1% and 1.4% against PGD-10 and PGD-50, respectively.

Table B.3: Experimental Results on ImageNet-1K with ResNet-50 against $\ell_{\infty}$ Threat with $\epsilon=\frac{4}{255}$

[e] Shafahi et al. Adversarial training for free!. NeurIPS 2019.

[f] Wong et al. Fast is better than free: Revisiting adversarial training. ICLR 2020.

[g] Jia et al. Prior-guided adversarial initialization for fast adversarial training. ECCV 2022.

[h] Jia et al. Improving fast adversarial training with prior-guided knowledge. TPAMI 2024.

Q1: Results against Feature Space Attacks

A1: Please refer to Table B.1 in R1 and Tables 1-4 in the attached PDF.

Q2: Results on Other Models and Datasets

A2: For results on additional backbones, please see Table B.2 in R2. For experiments on ImageNet-1K, kindly refer to Table B.3 in R3.

Dear Reviewer,

We hope you are doing well. We sincerely appreciate the detailed feedback and the time you have devoted to reviewing our submission.

In our recent rebuttal, we carefully address your concerns and provide detailed responses:

• Additional Experiments on Feature Space Attacks: We conduct experiments on several feature space attacks, specifically including methods like SMTDI/SMTDSI [a] and DCS/DLS [b] as you suggested, to demonstrate the robustness of our approach against more challenging adversarial attacks. These results show that our method performs better than previous SOTA techniques in most scenarios, despite being originally designed for pixel space attacks.

• Incorporating Diverse Backbones: We expand our experiments to include additional backbones such as Inception_v3 and ViT-S, demonstrating that our method generalizes well across different network architectures. The results confirm that our approach maintains its effectiveness and robustness across these diverse models.

• Extensive Experiments on ImageNet-1K: We also provide extensive results on the ImageNet-1K dataset, a critical benchmark in the CV field. Given the time constraints, we combine our method with fast adversarial training techniques like FGSM-PGK and FGSM-PGI, achieving significant improvements in robustness compared to the baseline methods.

These comprehensive experiments are conducted with great care to address your concerns about the scope and applicability of our approach, and to demonstrate its generalization and robustness across different models and datasets.

With the rebuttal discussion period closing tomorrow, Aug 13, 11:59 PM AoE, we would deeply appreciate your input if there are any further questions or points that you feel need clarification. If our rebuttal has satisfactorily addressed your concerns, we humbly request that you consider reflecting this positively in your rating score.

Thank you very much for your continued support and thoughtful consideration.

Best regards,
Submission1111 Authors

Dear Reviewer,

We are truly grateful for your continued time and effort in further discussing our submission. Below is our detailed response to the two questions you raised.

"For W1. could you please explain why you use a different dataset and a different threat model (a black-box setting) than those of Table 1 in the main paper?"

• Dataset:
  The training dataset used in [a] and [b] is ImageNet-1k. We understand your concern and would like to clarify that existing adversarial training methods with multiple iteration steps for AE generation do not report results on ImageNet-1K, since AT with a 10-step AE generation on ImageNet-1K requires approximately one week. Additionally, these feature space attacks need to be performed on real-world dataset, e.g. ImageNet. Given these considerations, we choose ImageNette, a widely used subset of ImageNet-1K in adversarial training [c], for the experiments in W1.

• Backbones:
  In [a] and [b], multiple backbones are adopted, including ResNet-50 and DenseNet-121. To better demonstrate the robust generalization of our method against feature space attacks, we select ViT-S, which you mentioned in W2, for experiments in W1. It is important to note that baselines in W1 do not provide experimental results and settings with so many backbones, meaning we need significant time to explore these methods' settings across different backbones. Furthermore, given the rebuttal's 6000 characters limit, it is challenging to present results for so many backbones. Consequently, to balance these factors and provide a clear comparison, combining the considerations of both W1 and W2, we select ResNet-50, DenseNet-121, and ViT-S for W1.

"For W3, could you please explain why you use different attacks than those of Table 1 (FGSM, PGD-20, PGD-100, C&W, and AA) in the main paper?"

The adversarial attacks we evaluate in W3 follow [h]. To ensure a fair and consistent comparison on ImageNet-1K, we use these specific adversarial attacks to provide the results in W3.

We sincerely hope these clarifications address your concerns. If there are any further questions or if you require additional explanations, we are more than happy to provide them. We also hope that if our responses sufficiently address your concerns, you might consider reflecting this positively in your review score.