While convolutional neural networks (CNNs) have achieved excellent performances in various computer vision tasks, they often misclassify with malicious samples, a.k.a. adversarial examples. Adversarial training is a popular and straightforward technique to defend against the threat of adversarial examples. Unfortunately, CNNs must sacrifice the accuracy of standard samples to improve robustness against adversarial examples when adversarial training is used. In this work, we propose Masking and Mixing Adversarial Training (M2AT) to mitigate the trade-off between accuracy and robustness. We focus on creating diverse adversarial examples during training. Specifically, our approach consists of two processes: 1) masking a perturbation with a binary mask and 2) mixing two partially perturbed images. Experimental results on CIFAR-10 dataset demonstrate that our method achieves better robustness against several adversarial attacks than previous methods.

翻译：尽管卷积神经网络（CNNs）在各类计算机视觉任务中取得了优异性能，但其常对恶意样本（即对抗样本）产生误分类。对抗训练是防御对抗样本威胁的一种常用且直接的技术。然而，当采用对抗训练时，CNN必须牺牲标准样本的准确率以提升对对抗样本的鲁棒性。本文提出掩膜与混合对抗训练（M2AT）以缓解准确率与鲁棒性之间的权衡。我们聚焦于在训练过程中生成多样化的对抗样本。具体而言，我们的方法包含两个过程：1）使用二值掩膜对扰动进行掩膜处理；2）混合两幅部分扰动的图像。在CIFAR-10数据集上的实验结果表明，相较于先前方法，我们的方法在抵御多种对抗攻击时展现出更优的鲁棒性。