FTA2C: Achieving superior trade-off between accuracy and robustness in adversarial training

IF 6.3 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Neural Networks Pub Date : 2025-10-03 DOI:10.1016/j.neunet.2025.108176

Zhenghan Gao , Chengming Liu , Yucheng Shi , Xin Guo , Jing Xu , Hong Zhang , Lei Shi

{"title":"FTA2C: Achieving superior trade-off between accuracy and robustness in adversarial training","authors":"Zhenghan Gao , Chengming Liu , Yucheng Shi , Xin Guo , Jing Xu , Hong Zhang , Lei Shi","doi":"10.1016/j.neunet.2025.108176","DOIUrl":null,"url":null,"abstract":"<div><div>Deep neural networks are notoriously vulnerable to adversarial perturbations, largely due to the presence of non-robust features that destabilize model performance. Traditional Adversarial Training (AT) methods on feature space typically operate on one part of features individually, resulting in the loss of useful information in them, and improve robustness at the expense of accuracy, making it difficult to optimize the inherent trade-off between the two. To address this challenge, we propose a novel plug-in method termed Feature Transformation Alignment and Compression (FTA2C). FTA2C comprises three key components. First, a compression network constrains the perturbation space to reduce the vulnerability of non-robust features. Second, a feature transformation network enhances the expressiveness of robust features. Third, an alignment mechanism enforces consistency between adversarial and natural samples in the robust feature space. The above mechanism achieves co-processing of the two parts of the feature. Additionally, we propose the Defense Efficiency Metric (DEM) to evaluate defense methods. DEM quantifies the trade-off between maintaining natural accuracy and enhancing adversarial robustness, offering a unified and interpretable standard for comparing defense strategies. Extensive experiments conducted on four benchmark datasets demonstrate that FTA2C significantly improvements robustness under the high-level accuracy, resulting in superior trade-off performance. Our code is available at <span><span>https://github.com/HymanGao31/FTA2C</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":49763,"journal":{"name":"Neural Networks","volume":"194 ","pages":"Article 108176"},"PeriodicalIF":6.3000,"publicationDate":"2025-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Neural Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0893608025010561","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Deep neural networks are notoriously vulnerable to adversarial perturbations, largely due to the presence of non-robust features that destabilize model performance. Traditional Adversarial Training (AT) methods on feature space typically operate on one part of features individually, resulting in the loss of useful information in them, and improve robustness at the expense of accuracy, making it difficult to optimize the inherent trade-off between the two. To address this challenge, we propose a novel plug-in method termed Feature Transformation Alignment and Compression (FTA2C). FTA2C comprises three key components. First, a compression network constrains the perturbation space to reduce the vulnerability of non-robust features. Second, a feature transformation network enhances the expressiveness of robust features. Third, an alignment mechanism enforces consistency between adversarial and natural samples in the robust feature space. The above mechanism achieves co-processing of the two parts of the feature. Additionally, we propose the Defense Efficiency Metric (DEM) to evaluate defense methods. DEM quantifies the trade-off between maintaining natural accuracy and enhancing adversarial robustness, offering a unified and interpretable standard for comparing defense strategies. Extensive experiments conducted on four benchmark datasets demonstrate that FTA2C significantly improvements robustness under the high-level accuracy, resulting in superior trade-off performance. Our code is available at https://github.com/HymanGao31/FTA2C.

查看原文本刊更多论文

FTA2C：在对抗性训练中实现准确性和鲁棒性之间的卓越权衡

众所周知，深度神经网络容易受到对抗性扰动的影响，这主要是由于存在破坏模型性能稳定的非鲁棒特征。传统的特征空间对抗训练（AT）方法通常只对一部分特征进行操作，导致其中有用信息的丢失，以牺牲准确性为代价提高鲁棒性，难以优化两者之间的内在权衡。为了解决这一挑战，我们提出了一种新的插件方法，称为特征转换对齐和压缩（FTA2C）。FTA2C由三个关键部分组成。首先，压缩网络对扰动空间进行约束，降低非鲁棒特征的脆弱性。其次，特征变换网络增强了鲁棒特征的表达能力。第三，在鲁棒特征空间中，对齐机制加强了对抗样本和自然样本之间的一致性。上述机制实现了特征两部分的协同处理。此外，我们提出了防御效率度量（DEM）来评估防御方法。DEM量化了保持自然准确性和增强对抗鲁棒性之间的权衡，为比较防御策略提供了统一和可解释的标准。在四个基准数据集上进行的大量实验表明，FTA2C在高精度下显著提高了鲁棒性，从而获得了优越的权衡性能。我们的代码可在https://github.com/HymanGao31/FTA2C上获得。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Neural Networks 工程技术-计算机：人工智能

CiteScore

13.90

自引率

7.70%

发文量

425

审稿时长

67 days

期刊介绍： Neural Networks is a platform that aims to foster an international community of scholars and practitioners interested in neural networks, deep learning, and other approaches to artificial intelligence and machine learning. Our journal invites submissions covering various aspects of neural networks research, from computational neuroscience and cognitive modeling to mathematical analyses and engineering applications. By providing a forum for interdisciplinary discussions between biology and technology, we aim to encourage the development of biologically-inspired artificial intelligence.