Adversarial training with distribution normalization and margin balance

Adversarial training is the most effective method to improve adversarial robustness. However, it does not explicitly regularize the feature space during training. Adversarial attacks usually move a sample it-eratively along the direction which causes the steepest ascent of classification loss by crossing decision boundary. To alleviate this problem, we propose to regularize the distributions of different classes to increase the difficulty of finding an attacking direction. Specifically, we propose two strategies named Distribution Normalization (DN) and Margin Balance (MB) for adversarial training. The purpose of DN is to normalize the features of each class to have identical variance in every direction, in order to elimi-nate easy-to-attack intra-class directions. The purpose of MB is to balance the margins between different classes, making it harder to find confusing class directions (i.e., those with smaller margins) to attack. When integrated with adversarial training, our method can significantly improve adversarial robustness. Extensive experiments under white-box, black-box, and adaptive attacks demonstrate the effectiveness of our method over other state-of-the-art methods.(c) 2022 Elsevier Ltd. All rights reserved.