To defend deep neural networks from adversarial attacks, adversarial training has been drawing increasing attention for its effectiveness. However, the accuracy and robustness resulting from the adversarial training are limited by the architecture, because adversarial training improves accuracy and robustness by adjusting the weight connection affiliated to the architecture. In this work, we propose ARNAS to search for accurate and robust architectures for adversarial training. First we design an accurate and robust search space, in which the placement of the cells and the proportional relationship of the filter numbers are carefully determined. With the design, the architectures can obtain both accuracy and robustness by deploying accurate and robust structures to their sensitive positions, respectively. Then we propose a differentiable multi-objective search strategy, performing gradient descent towards directions that are beneficial for both natural loss and adversarial loss, thus the accuracy and robustness can be guaranteed at the same time. We conduct comprehensive experiments in terms of white-box attacks, black-box attacks, and transferability. Experimental results show that the searched architecture has the strongest robustness with the competitive accuracy, and breaks the traditional idea that NAS-based architectures cannot transfer well to complex tasks in robustness scenarios. By analyzing outstanding architectures searched, we also conclude that accurate and robust neural architectures tend to deploy different structures near the input and output, which has great practical significance on both hand-crafting and automatically designing of accurate and robust architectures.

翻译：为防御深度神经网络免受对抗性攻击，对抗训练因其有效性而受到越来越多的关注。然而，对抗训练所能实现的精度与鲁棒性受限于网络架构，因为对抗训练通过调整架构中的权重连接来提升精度和鲁棒性。本文提出ARNAS方法，旨在搜索适用于对抗训练的精确且鲁棒的架构。首先，我们设计了一个精确且鲁棒的搜索空间，其中仔细确定了细胞单元的放置位置以及滤波器数量的比例关系。通过该设计，架构能够通过将精确和鲁棒的结构分别部署在敏感位置，同时获得精度和鲁棒性。接着，我们提出一种可微的多目标搜索策略，向同时有利于自然损失和对抗损失的方向进行梯度下降，从而能够同时保证精度与鲁棒性。我们在白盒攻击、黑盒攻击及迁移性方面进行了全面实验。实验结果表明，所搜索到的架构兼具最强的鲁棒性与具有竞争力的精度，并打破了传统观念，即基于神经架构搜索的架构在鲁棒性场景下无法有效迁移到复杂任务。通过分析搜索到的优秀架构，我们还得出结论：精确且鲁棒的神经架构倾向于在输入和输出附近部署不同的结构，这对手工设计及自动设计精确且鲁棒的架构具有重要的实际意义。